e107 CMS Server-Side Request Forgery Vulnerability in Media Manager

A server-side request forgery (SSRF) vulnerability has been identified in e107, a content management system (CMS), prior to version 2.3.4. This vulnerability allows authenticated administrators to access the local environment by specifying a URL in the 'Image/File URL' field of the 'Media Manager' on the administrator screen. The issue arises because the 'e_file::getRemoteFile()' and 'getRemoteContent()' methods previously accepted URLs without proper validation, enabling potential port scanning or access to internal services through imported media.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the local environment, allowing for port scanning and the potential retrieval of sensitive information.

Reproduction

To reproduce this vulnerability, log into the administrator screen and navigate to 'Media Upload/Import'. Once there, specify a URL pointing to a local resource in the 'Image/File URL' field. After submitting the form, check the response to see if the port scan was performed. An open port will result in no error, while a closed port will generate an error message indicating a problem with fetching the file.

Remediation

Users can update to e107 version 2.3.4, where this vulnerability has been patched. Instructions for this update can be found in the e107 documentation.