OTCMS Server-Side Request Forgery Vulnerability in read.php Admin Endpoint

A Server-Side Request Forgery (SSRF) vulnerability exists in the OTCMS application, specifically in versions through 7.66. The issue is located in the admin/read.php file, within the AnnounContent function. This vulnerability allows remote attackers to send crafted HTTP requests to internal services or any remote server, without authentication. The absence of proper input validation on the 'url' parameter enables exploitation by directing requests to local files or external resources, potentially leading to unauthorized file access and Cross-Site Scripting (XSS) attacks.

Impact

Exploitation of this vulnerability allows for Server-Side Request Forgery, which can be used to access internal services or files. Additionally, the vulnerability can be exploited to inject malicious scripts that are executed in the context of the user's browser, causing Cross-Site Scripting.

Reproduction

To reproduce this vulnerability, access the OTCMS admin interface and navigate to the read.php file. Without any authentication, send a request to the 'mudi' parameter with the value 'announContent'. Include a 'url' parameter pointing to either a local file, such as the hosts file, or an external URL. The server will process the request, fetch the specified resource, and return it in the response. If an external URL is used that includes a script, such as a JavaScript alert, the script will be executed in the browser.