PerfreeBlog Server-Side Request Forgery Vulnerability in Attach Upload API

A server-side request forgery (SSRF) vulnerability has been identified in PerfreeBlog version 4.0.11. The issue arises from a missing authorization check in the 'uploadAttachByUrl' API endpoint, allowing unauthenticated users to send requests that could be exploited to access internal networks or cloud metadata.

Impact

Exploitation of this vulnerability allows for unauthorized SSRF attacks, where an attacker can scan internal ports, access cloud metadata services (such as AWS or Azure), and potentially read local files.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'uploadAttachByUrl' endpoint without any authentication. The request must include a JSON payload with a 'url' field containing the target URL. This can be done using a tool like curl.

Remediation

The vulnerability can be fixed by adding the missing authorization check to the 'uploadAttachByUrl' API endpoint. This can be done by including the '@PreAuthorize' annotation to ensure that only users with the appropriate permissions can access the endpoint.