There is a SSRF vulnerability via /publiccms/admin/ueditor

Hello,I found a SSRF in the lastest version of PublicCMS-V4.0.202011.b

The vulnerability is triggered by visiting the following address after logging in the management background
http://192.168.6.237:8081/publiccms/admin/ueditor?action=catchimage&file%5b%5d=http://192.168.103.3
http://192.168.6.237:8081/publiccms/admin/ueditor?action=catchimage&file%5B%5D=https://www.baidu.com

The "file[]" parameter has a loophole, and the IP and domain names that access is not restricted, resulting in an SSRF loophole.
Error is returned when the detection service and port are not open:
![image](https://user-images.githubusercontent.com/39592354/108824059-3b2dd580-75fc-11eb-8bea-0a2c2f2f0df2.png)

Return success when detecting service and port opening:
![image](https://user-images.githubusercontent.com/39592354/108824076-408b2000-75fc-11eb-9f35-3594d0a285da.png)
![image](https://user-images.githubusercontent.com/39592354/108824087-441ea700-75fc-11eb-91b9-ada3d247c254.png)

Attackers can use this vulnerability to scan the internal network for open hosts and ports, and attack applications with vulnerabilities in the internal network, such as redis, struts2, etc., and further gain control of the server system.

PublicCMS is a useful development cms, I think we need to pay attention to and fix this security issue， looking forward to your reply.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

There is a SSRF vulnerability via /publiccms/admin/ueditor #51

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development