We noticed that the upload functionality contains the ability to upload files from remote server, however there are some mitigations against accessing the AWS Instance Metadata service.
We’ve managed to bypass these mitigations using DNS rebinding and we’ve managed to fetch the AWS IAM keys when Concrete CMS is running in the cloud.
We’ve used http://1u.ms/ service for DNS rebinding, please see screenshots with evidence.
An attacker can bypass the SSRF protections and he can fetch the AWS IAM keys under which the application is running. From here on he can do enumeration and mount other attacks.