EyouCMS Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability exists in EyouCMS versions through 1.7.7. The issue arises in the 'saveRemote' function within 'application/function.php', where remote image fetching lacks proper URL validation. This flaw allows authenticated attackers to manipulate the server into sending HTTP requests to arbitrary internal or external hosts, potentially accessing sensitive services or data.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal network services, cloud metadata endpoints, and the ability to probe internal systems or perform denial-of-service attacks on internal services.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the image catch endpoint '/index.php?m=user&c=Uploadify&a=ueditor&action=catchimage', including a crafted URL that points to an internal service or resource. The server will attempt to fetch the URL, and the response can be used to confirm successful exploitation.

Remediation

Users are advised to update to EyouCMS version 1.7.8, which addresses this vulnerability.