Issues » Server-Side Request Forgery (SSRF) in dotcms/core

Issue: SI-60
Date: Dec 14, 2021, 10:30:00 AM
Severity: Medium
Requires Admin Access: Yes
Fix Version: 21.12
Credit: Vinicius Ribeiro Ferreira da Silva
Description:

dotCMS TempFileAPI allows a SSRF that can allow to access to internal systems accessible via url

  • For example if dotCMS is connected to an unsecured elastisearch instance, this SSRF we can direct access the elastisearch REST API
  • In a cloud environment, it can be possible to abuse this flaw to get a Remote Code Execution
  • An user with a few permissions is required
  • Exploitation required user setup is a little different, so I upload a video (private) showing how to configure your users and how to use a less privileged account to explore the SSRF

The exploitation can allow access to any web service that can be access via localhost can be target, this include Cloud services like AWS APIs

  • If this CMS is running in a cloud environment, it can be possible to abuse this flaw to get a Remote Code Execution

Mitigation:
  1. Upgrade to unaffected versions
  2. Create a Rule that block external access to the TempFileResource, /api/v1/temp/byUrl

Screen Shot 2021-12-14 at 11.49.01 AM.png

References

https://huntr.dev/bounties/e903dacf-396c-4c9f-b7b3-3138182a3488/