| Título | pagekitCMS 1.0.18 pagekitCMS |
|---|
| Descrição | github开源项目 pagekitCMS
https://github.com/pagekit/pagekit
公网资产可以通过fofa pagekit 进行收集
Publicly accessible assets of the Pagekit CMS, a GitHub open-source project, can be collected by searching for "pagekit" on FOFA.
https://github.com/pagekit/pagekit
Pagekit CMS 1.0.18 的系统更新下载接口 /admin/system/update/download 中存在服务端请求伪造(SSRF)漏洞。
该接口接受用户通过 POST 参数传入的 url 值,未对 URL 的协议(scheme)、目标主机(host)进行任何验证或白名单限制,直接将其传入 PHP 的 fopen() 函数执行文件读取/网络请求,并将获取到的内容写入服务器临时目录。
攻击者(需具备管理员权限)可利用此漏洞:
1. 通过 file:// 协议读取服务器本地任意文件
2. 探测内网端口和服务
3. 访问云实例元数据(如 http://x.x.x.x/)窃取云凭据
4. 向内网服务发起攻击请求
A Server-Side Request Forgery (SSRF) vulnerability exists in the system update download endpoint of Pagekit CMS 1.0.18.
The POST /admin/system/update/download endpoint accepts a user-supplied url parameter and passes it directly to PHP's fopen() function without any validation on the URL scheme, target host, or content. The fetched content is then written to a temporary file on the server via file_put_contents().
An authenticated administrator can exploit this vulnerability to:
1. Read arbitrary local files on the server via the file:// protocol
2. Scan internal network ports and services
3. Access cloud instance metadata (e.g., http://x.x.x.x/) to steal cloud credentials
4. Send requests to internal network services as a pivot point |
|---|
| Fonte | ⚠️ https://www.yuque.com/fortune-toq55/giqwnb/ek05kkfeg1gg8v6t |
|---|
| Utilizador | fortuneh2c (UID 97063) |
|---|
| Submissão | 03/04/2026 05h37 (há 23 dias) |
|---|
| Moderação | 24/04/2026 21h05 (22 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 359526 [pagekit até 1.0.18 download url Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|