Exrick xboot Server-Side Request Forgery Vulnerability in Swagger Component

A critical server-side request forgery (SSRF) vulnerability has been identified in Exrick xboot versions through 3.3.4. The issue resides in the Swagger component, specifically within the SecurityController.java file. The vulnerability arises because the loginUrl parameter, which is user-controllable, is not properly validated before being used to make network requests. This lack of security processing allows attackers to manipulate the loginUrl parameter to access and exploit internal services of the target system.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can manipulate requests from the server to internal services, potentially leading to unauthorized access or information disclosure.

Reproduction

To reproduce this vulnerability, send a GET request to the /xboot/common/swagger/login endpoint with a crafted loginUrl parameter that points to an external server you control. Include a username and password in the request. The server will then make a request to the specified loginUrl, allowing you to verify the SSRF vulnerability.