SpringBlade Server-Side Request Forgery Vulnerability in UReport Datasource Connection Testing Endpoint

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the SpringBlade framework, specifically in version 4.8.0 of the blade-report module, which integrates UReport2. The vulnerability exists in the '/ureport/datasource/testConnection' endpoint, where authenticated attackers can manipulate JDBC connection parameters to scan internal resources. The server-side logic directly executes user-supplied values without proper validation, allowing for unauthorized access to internal networks and services.

Impact

Exploitation of this vulnerability allows for Server-Side Request Forgery (SSRF), where an attacker can make the server initiate requests to internal or external resources on their behalf. This could be used to access internal services or perform network reconnaissance. Additionally, if the MySQL JDBC driver is used, there is potential for arbitrary file read or even remote code execution, depending on the version of the MySQL connector.

Reproduction

To reproduce this vulnerability, send a POST request to the '/ureport/datasource/testConnection' endpoint with crafted JDBC connection parameters. The 'driver' parameter can be set to any JDBC driver class name, and the 'url' parameter can be manipulated to point to internal or external resources. If using the MySQL connector, files can be exfiltrated by exploiting the 'LOAD DATA LOCAL INFILE' feature, or remote code execution can be achieved on older connector versions.

Remediation

Users are advised to disable the '/ureport/datasource/testConnection' endpoint if it is not needed in production. For those who require this functionality, it is recommended to implement a whitelist for allowed JDBC drivers, sanitize JDBC URL parameters to remove dangerous options, and restrict connections to non-private or loopback addresses. Additionally, the 'LOAD DATA LOCAL INFILE' option should be disabled at the driver level by default.