Moxi159753 Mogu Blog V2 Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Moxi159753 Mogu Blog V2, affecting versions through 5.2. The vulnerability resides in the 'LocalFileServiceImpl.uploadPictureByUrl' function, accessed via the '/file/uploadPicsByUrl' endpoint. This flaw allows unauthenticated attackers to manipulate file uploads, injecting malicious URLs that the server fetches and processes without proper validation. The exploited content can include sensitive local files, internal service data, or cloud metadata, leading to a significant compromise of the system.

Impact

Exploitation of this vulnerability allows for unauthorized file reads, access to internal network services, retrieval of cloud metadata, and a complete bypass of authentication requirements.

Reproduction

To reproduce this vulnerability, send a POST request to the '/file/uploadPicsByUrl' endpoint without authentication. Include fake 'userUid' and 'adminUid' values that are non-empty strings. Inject a 'systemConfig' object in the request body to control upload settings, and supply malicious URLs in the 'urlList' parameter, such as 'file:///etc/passwd' to read local files or 'http://169.254.169.254/latest/meta-data/' to access cloud metadata.

Remediation

It is recommended to remove public access to the '/file/uploadPicsByUrl' endpoint by requiring authentication, validate 'userUid' and 'adminUid' against the database, and implement a URL whitelist to restrict fetched URLs to trusted domains.