thinkgem JeeSite UEditor Image Grabber Server-Side Request Forgery Vulnerability

A critical server-side request forgery (SSRF) vulnerability has been identified in thinkgem JeeSite versions through 5.12.0. The issue arises in the UEditor Image Grabber component, specifically within the ActionEnter.java file. The vulnerability is triggered by manipulating the 'source' parameter, allowing remote attackers to send requests to internal or external resources on behalf of the server.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests to other servers or services, potentially leading to unauthorized data access or interaction with internal services.

Reproduction

To reproduce this vulnerability, send a POST request to the '/js/a/file/ueditor/catchimage' endpoint with the 'fieldName' parameter set to 'source'. Include a 'source' parameter with a URL that can be controlled or monitored, such as a DNS log URL. The server will then make a request to the specified URL, demonstrating the SSRF vulnerability.

Remediation

Users are advised to update to the latest version of thinkgem JeeSite, as the vulnerability has been patched. The patch is available in the commit identified by 1c5e49b0818037452148e0f8ff69ed04cb8fefdc.