CRMEb Java Server-Side Request Forgery Vulnerability in Qrcode Base64 Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in CRMEb Java version 1.4. The issue arises in the Qrcode Base64 endpoint, specifically within the RestTemplateUtil class. The vulnerability allows remote attackers to manipulate the url parameter, which is passed to the RestTemplate.getForEntity() method without proper validation. This exploitation enables arbitrary HTTP requests to be made from the server. The endpoint is whitelisted in the authentication interceptor, meaning it does not require login credentials to access.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make arbitrary HTTP requests from the server, potentially leading to the exposure of internal services or data.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/front/qrcode/base64' endpoint with a URL parameter that points to a service that can log DNS requests. If the server makes the request to the specified URL, the vulnerability has been successfully exploited. Alternatively, the vulnerability can be demonstrated by sending a request to an internal service, such as MySQL or Redis, and observing the response, which will indicate that the server was able to connect to the internal service.