AutohomeCorp Frostmourne Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in AutohomeCorp Frostmourne versions prior to 1.0. The issue resides in the Alarm Preview component, specifically within the AlarmController.java file. This vulnerability allows authenticated users to send arbitrary HTTP or HTTPS requests from the server, bypassing URL validation. The response from these requests is returned directly to the user, which could be exploited to access internal network resources, cloud metadata endpoints, or perform port scanning.

Impact

Exploitation of this vulnerability allows for server-side request forgery, enabling attackers to make unauthorized requests from the server to other internal or external services.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the /alarm/previewData endpoint with a crafted AlarmContract. The metricContract.queryString field should be populated with the target URL. The AlarmController's padAlarm method does not validate or constrain the queryString when the dataName is set to 'http', effectively allowing arbitrary URLs to be requested. Once the SSRF is triggered, the response can be used to access internal resources or metadata endpoints.