| 标题 | mingSoft MCMS 5.5.0 Server-Side Request Forgery |
|---|
| 描述 | MCMS contains a server-side request forgery vulnerability in its remote image capture feature. The editor endpoint accepts user-supplied remote URLs through the `catchimage` action and forwards them to the server-side fetch utility without sufficient validation of scheme, host, or destination network range. An attacker can abuse this behavior to make the application server issue requests to arbitrary internal or external targets, including localhost, RFC1918 addresses, and cloud metadata endpoints.
The vulnerable logic is implemented in the editor image capture flow. When the request action is `catchimage`, the application reads the user-controlled parameter array `source[]`, iterates over each supplied remote URL, and passes it to a helper that downloads the remote resource and converts it into a multipart file for later storage.
Because the application does not adequately restrict the target URL before fetching it, an attacker can cause the server to initiate outbound requests to attacker-chosen destinations. This enables classic SSRF against internal services that are not directly reachable from the internet.
An attacker can exploit this by:
1. Sending a request to the editor endpoint with `action=catchimage`
2. Supplying one or more crafted values in `source[]`
3. Forcing the server to connect to internal hosts or metadata services
4. Using the response behavior, saved content, timing, or downstream processing to confirm reachable targets or retrieve data
This is a meaningful network pivot because the HTTP request originates from the MCMS server, not from the attacker. |
|---|
| 来源 | ⚠️ https://github.com/wing3e/public_exp/issues/3 |
|---|
| 用户 | Winegee (UID 96308) |
|---|
| 提交 | 2026-03-11 09時16分 (19 日前) |
|---|
| 管理 | 2026-03-27 08時53分 (16 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 353831 [mingSoft MCMS 直到 5.5.0 Editor Endpoint BaseAction.java catchImage catchimage 权限提升] |
|---|
| 积分 | 20 |
|---|