MaxKB Server-Side Request Forgery Vulnerability in OSS URL Fetch Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in MaxKB versions through 2.8.0, prior to the patch in 2.8.1. The issue arises in the OSS file service URL fetch endpoint due to inconsistent URL parsing between the validation function and the HTTP client. This discrepancy allows authenticated attackers to bypass SSRF protections and access internal network services.

Impact

Exploitation of this vulnerability allows for server-side request forgery, enabling access to internal network resources.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the '/chat/api/oss/get_url' endpoint with a crafted URL that exploits the parsing inconsistency. The URL should be formatted to include backslashes and '@' characters, which will be misinterpreted by the server. This will bypass the SSRF protection and allow access to internal services.

Remediation

Users are advised to update MaxKB to version 2.8.1, which addresses the vulnerability by aligning the URL parsing logic between the validation and request components.