SSRF when configuring Website Backup on Acronis Cloud

Hi, I hope everything goes well. I have found a SSRF in `https://mc-beta-cloud.acronis.com/ui/#/backup-console/resources` when configuring the backup plan for a website. ## Summary While I was looking at the functionality of managing backups on websites, I saw that if you specify a local IP where to get the files from, the backend server tries to make requests using the SFTP protocol and returns the response. ## Steps To Reproduce 1- Go to `https://mc-beta-cloud.acronis.com` and login in your Acronis Cloud account as a customer. 2- Then, go to the section `Devices` > `Websites`. 3- Then, click in `Add` > `Website` and configure it with the following parameters: * Website name: `ssrf-test` * Host: `192.168.1.1` * Port: `22` * Username: `test` * Password: `test` Skip the database configuration part. In the next image you can see the configuration for the website too: {F1146821} 4- Go to the `Websites` section and click in the previous one created, in this case `ssrf-test`. Then, up to the right click in `Backup`: {F1146823} 6- Select the `Websites to Cloud storage` backup plan and finally click in `Run Now`. In the following image you can see the timeout for the specified local IP `192.168.1.1`: {F1146828} Also, if you click in `Show Activity` and then in `All properties` you can see the origin of the failure. For example, if instead of the configuration established before, you put the IP `127.0.0.1` and port `80` you can see the following message indicating that there is an HTTP server that is returning the 404 code: ```json "message": "get ssh password credentials: HTTP Error 404: {\"domain\":\"General\",\"code\":\"NotFound\",\"reason\":\"NotFound\",\"debug\":{\"msg\":\"Credentials object not found\"}}" ``` In the next image you can see the message for the IP `127.0.0.1:80`: {F1146852} I have made a video where you can see this last scenario of the IP `127.0.0.1`: {F1146908} As you indicate in your policy `Always limit exploitation to minimal proof of concept required to demonstrate the vulnerability. Do not attempt to access Acronis or other users' accounts or data or post-exploitation of other vulnerabilities. Stop, report what you have found and request additional testing permission`, I have not continued trying to exploit this failure to find any vulnerable internal service or escalate it with other types of bug that may occur, only if you give me permission and with your consent I will try to give more impact to this issue. ## Recommendations My advice would be to create a blacklist of the local IPs ranges. In this way, the backend server checks if the IP or host entered by the user is in the list before making the request, if it is not found, it proceeds to make the connection. Best regards and have a nice day, @mr-medi ## Impact An attacker can trigger requests to internal resources and retrieve the response contents. Although in some situations they can be exploited to achieve full remote code execution, find internal vulnerable services or exfiltrate sensitive information.