20120630 Novel-Plus Missing Authentication Vulnerability in Crawl Controller

A critical vulnerability has been identified in 20120630 Novel-Plus versions up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. The issue arises in the addCrawlSource function within the CrawlController.java file, where it allows the addition of crawl sources without proper authentication. This vulnerability can be exploited remotely, and has been publicly disclosed.

Impact

Exploitation of this vulnerability could lead to unauthorized access and manipulation of crawl source configurations, potentially allowing for server-side request forgery (SSRF) attacks.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /addCrawlSource endpoint without any authentication. This request will be processed, and a new crawl source will be added, demonstrating the lack of access control. Additionally, the /testParse endpoint can be used to illustrate the SSRF aspect of the vulnerability by sending arbitrary URLs for remote parsing.