SSRF vulnerability exists in the background of maccms10

magicblack / maccms10

苹果cms官网,苹果cmsv10,maccmsv10,麦克cms,开源cms,内容管理系统,视频分享程序,分集剧情程序,网址导航程序,文章程序,漫画程序,图片程序

Other

2.27k stars 781 forks source link

SSRF vulnerability exists in the background of maccms10 #763

Closed cc-ship closed 2 years ago

cc-ship commented 2 years ago

The vulnerability is in the test method in maccms/application/admin/controller/Collect.php. The parameters of this method are controllable, and the vod_xml or vod_json method will be called later. Finally, it fell to mac_curl_get to cause SSRF vulnerability. POC is as follows http://localhost:8001/maccms/admin888.php/admin/collect/test //POST cjurl=http://localhost:9999#&type=1 Repair plan: Filter the parameter cjurl

magicblack commented 2 years ago

Thanks for the feedback, a simple fix has been made. The scene here is more complicated and may not be too restrictive.

yuanminglove commented 2 years ago

opps