myMagicPower AIAS Server-Side Request Forgery Vulnerability

A critical server-side request forgery (SSRF) vulnerability has been identified in mymagicpower AIAS version 20250308. The issue arises in the AsrController.java file, where the 'url' parameter is processed without proper validation, allowing remote attackers to manipulate the argument and initiate unauthorized requests from the server. This vulnerability could be exploited to access internal services or sensitive data.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests to internal resources or external sites, potentially leading to unauthorized data access or exploitation of other vulnerabilities.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/api/asr/enAsrForLongAudioUrl' or '/api/asr/zhAsrForLongAudioUrl' endpoints with a 'url' parameter pointing to a target that the server can access. The server will then fetch the URL's content, demonstrating the SSRF vulnerability.

Remediation

To address this vulnerability, validate and sanitize all user input used in HTTP requests. Implement whitelisting or IP filtering to restrict server access to trusted internal resources. Consider proxying external requests through a controlled intermediary with appropriate access controls.