Qibo CMS Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Qibo CMS version 1.0. The issue arises in the file '/index/image/headers', where the application fails to properly validate the 'url' parameter. This lack of input validation allows attackers to send requests to internal metadata servers, particularly on Alibaba Cloud, and access sensitive information such as cloud server metadata, user-defined data, and core details like the Alibaba Cloud account ID and VPC network segments. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows attackers to access internal metadata and user-defined data from Alibaba Cloud ECS instances, leading to the unauthorized disclosure of sensitive information such as cloud environment network topology, account IDs, and high-privilege initialization scripts. Additionally, the leaked internal network segments could be used for port scanning and lateral movement within the network.

Reproduction

To reproduce this vulnerability, send a request to the '/index/image/headers' endpoint with a crafted 'url' parameter that points to the internal metadata address of an Alibaba Cloud ECS instance. The server will process the request and retrieve the metadata, which can then be accessed by the attacker.