yanyutao0402 ChanCMS Server-Side Request Forgery Vulnerability

A critical server-side request forgery (SSRF) vulnerability has been identified in yanyutao0402 ChanCMS versions through 3.1.2. The issue arises in the 'getPages' function within the file '/cms/collect/getPages', where the 'targetUrl' parameter is user-controllable and lacks proper security validation. This vulnerability allows remote attackers to access internal hosts and services.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services and resources, potentially allowing attackers to manipulate or exfiltrate sensitive information.

Reproduction

To reproduce this vulnerability, send a POST request to '/cms/collect/getPages' with a payload that includes a malicious 'targetUrl' pointing to an internal resource. The absence of security checks on the 'targetUrl' parameter will enable the SSRF attack, allowing access to restricted internal services.

Remediation

Upgrade to ChanCMS version 3.1.3, which addresses the SSRF vulnerability. The updated version is available for download on the ChanCMS Gitee release page.