InstantCMS Blind Server-Side Request Forgery Vulnerability

A blind server-side request forgery (SSRF) vulnerability has been identified in InstantCMS versions through 2.17.3. This vulnerability allows authenticated remote attackers to make arbitrary HTTP or HTTPS requests via the package parameter. The issue arises in the installer functionality, where it can be exploited to scan local networks, access local services, conduct denial-of-service attacks, and disclose a server's real IP address if it is behind a reverse proxy. Additionally, the vulnerability can be used to exhaust server resources by sending a large number of such requests.

Impact

Exploitation of this vulnerability could lead to unauthorized network scanning, access to local services, denial-of-service conditions, and potential disclosure of the server's real IP address if behind a reverse proxy.

Reproduction

To reproduce this vulnerability, send a POST request to the '/instancms/admin/install' endpoint. Include the 'package' parameter with a URL pointing to an external server. The request will be processed by the server, which will make an HTTP request to the specified URL, thereby exploiting the SSRF vulnerability.