Moxi624 Mogu Blog Server-Side Request Forgery Vulnerability via Unvalidated OAuth Avatar URLs

A server-side request forgery (SSRF) vulnerability has been identified in Moxi624 Mogu Blog versions 2.0.1 through 5.2. The issue arises in the Picture Storage Service component, specifically within the LocalFileServiceImpl.uploadPictureByUrl function. The vulnerability allows attackers to manipulate unvalidated avatar URLs from OAuth providers, forcing the server to make arbitrary HTTP requests. This could include accessing internal network resources, cloud metadata services, or local files via the file protocol. The vulnerability can be exploited remotely, without any authentication, by compromising an OAuth application or registering a malicious one.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the application server is tricked into making HTTP requests to unintended destinations. This could lead to unauthorized access to internal services, cloud metadata theft (including sensitive IAM credentials), local file disclosure, or disruption of internal services.

Reproduction

To reproduce this vulnerability, register a malicious OAuth application with a provider such as Gitee, GitHub, QQ, or WeChat. Configure the application to return a malicious avatar URL, such as one pointing to the AWS metadata service. When a user logs in through the OAuth provider, the application will process the unvalidated avatar URL, leading to the SSRF vulnerability. This can be verified by checking the application logs for the response from the metadata service, which will contain sensitive IAM credentials.

Remediation

Users are advised to implement URL validation for avatar URLs received from OAuth providers. This validation should ensure that the URLs are from trusted sources, use secure protocols, and do not resolve to private IP addresses. Additionally, consider monitoring and logging OAuth interactions for suspicious activity.