yanyutao0402 ChanCMS Server-Side Request Forgery Vulnerability
Vulnerability
A critical server-side request forgery (SSRF) vulnerability has been identified in yanyutao0402 ChanCMS versions prior to 3.1.2. The issue arises in the 'getArticle' function within 'app/modules/api/service/gather.js', where the 'targetUrl' parameter is user-controllable and lacks proper security validation. This flaw allows remote attackers to manipulate the URL and potentially access internal hosts and services.
Impact
Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests to internal resources, potentially leading to unauthorized access or information disclosure.
Reproduction
To reproduce this vulnerability, send a POST request to '/cms/gather/getArticle' with a crafted 'targetUrl' parameter that points to an internal service or host. The server will fetch the URL's content, bypassing normal security controls.
Remediation
Upgrade to ChanCMS version 3.1.3, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.