mingSoft MCMS Server-Side Request Forgery Vulnerability in Remote Image Fetch Feature

A server-side request forgery (SSRF) vulnerability has been identified in mingSoft MCMS versions through 5.5.0. The issue arises in the Editor Endpoint, specifically within the catchImage function of the BaseAction.java file. This vulnerability allows remote attackers to manipulate the catchimage argument, leading the server to make unauthorized requests to internal or external destinations. The flaw exists because the application fails to properly validate the scheme, host, or network range of user-supplied URLs before fetching them. As a result, an attacker can exploit this weakness to access sensitive internal services or cloud metadata endpoints from the application server.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the application server is tricked into making requests to internal or external targets chosen by the attacker. This can lead to probing internal networks, accessing cloud metadata services that may contain sensitive information, and potentially exploiting internal business APIs or administrative endpoints, depending on the application's configuration.

Reproduction

To reproduce this vulnerability, send a POST request to the editor endpoint with the action set to 'catchimage'. Include one or more crafted URLs in the 'source[]' parameter that point to internal addresses, such as localhost or RFC1918 ranges, or cloud metadata services. The server will fetch these URLs, originating the request from the MCMS server context, which can then be used to access internal resources or metadata.

Remediation

It is recommended to validate and restrict remote URLs before fetching them. Implement checks to ensure only HTTP or HTTPS URLs are allowed, and block internal addresses, localhost, and private network ranges. Additionally, consider enforcing a domain allowlist for trusted sources or disabling the remote image fetch feature if not needed.