Tiandy Video Surveillance System Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Tiandy Video Surveillance System version 7.17.0. The issue arises in the 'downloadImage' function within the file '/com/tiandy/easy7/core/bo/CLSBODownLoad.java'. The vulnerability allows remote attackers to manipulate the 'urlPath' parameter, leading to unauthorized requests being sent from the server to internal or external resources. This could potentially be exploited to read local files on the server or probe internal network services.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can manipulate server requests to access internal resources or files.

Reproduction

The vulnerability can be reproduced by sending a request to the 'downloadImage' function with a crafted 'urlPath' parameter. The server will then process this parameter without proper validation, allowing for unauthorized requests to be made from the server.