UEditor - Server Side Request Forgery

What is "UEditor - Server Side Request Forgery?"

The "UEditor - Server Side Request Forgery" module is designed to detect a vulnerability in the UEditor software. UEditor is a popular web-based text editor that allows users to create and edit content on websites. This module specifically targets a Server Side Request Forgery (SSRF) vulnerability in UEditor.

The severity of this vulnerability is classified as medium, indicating that it has the potential to cause significant harm if exploited.

This module was authored by pwnhxl.

Impact

A Server Side Request Forgery (SSRF) vulnerability allows an attacker to make requests to internal or external resources on behalf of the vulnerable server. In the case of UEditor, this vulnerability could be exploited to perform unauthorized actions, such as accessing sensitive information or launching attacks against other systems.

How the module works?

The "UEditor - Server Side Request Forgery" module works by sending specific HTTP requests to the UEditor software and then analyzing the responses to determine if the SSRF vulnerability is present.

One example of an HTTP request sent by this module is:

GET /ueditor/php/controller.php?action=catchimage&source[]=http://127.0.0.1:{%randTextNumeric(6)%}/?1.png

This request attempts to catch an image from a specified source, using a randomized IP address.

The module includes two matching conditions:

- The response body must contain the words "\\u94fe\\u63a5\\u4e0d\\u53ef\\u7528", "\"original\":", and "\"SUCCESS\"". - The response status code must be 200.

If both conditions are met, the module will report a vulnerability.

Reference - https://xz.aliyun.com/t/4154 - https://www.seebug.org/vuldb/ssvid-97311 Metadata - max-request: 2 - verified: true - shodan-query: html:"UEditor"