MCCMS Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability exists in MCCMS version 2.7.0. The issue is located in the index() method of the sys\apps\controllers\api\Gf.php file, where the pic parameter is processed. The vulnerability arises because the pic parameter is decrypted using a hard-coded key, allowing attackers to craft malicious encrypted pic parameters that, when decrypted, point to internal addresses or local file paths. The decrypted URLs are then accessed via cURL without proper security checks. This vulnerability can be exploited to access internal services, probe local file systems, and read sensitive files, leading to information leakage or system exposure.

Impact

Exploitation of this vulnerability allows access to internal services and local file systems through various protocols, potentially leading to sensitive data leakage, unauthorized file access, or exposure of internal services.

Reproduction

To reproduce this vulnerability, send a GET request to the /index.php/api/gf/ endpoint with a crafted pic parameter that points to an internal address or local file using the file:// protocol. The request can be made using a tool like Burp Suite or a simple cURL command. Once the request is sent, the server's response can be checked to confirm the exploitation.