Summary

A Server-Side Request Forgery (SSRF) vulnerability has been identified in JEEWMS v3.7. The vulnerability exists in the UEditor component’s remote image retrieval functionality (/plug-in/ueditor/jsp/getRemoteImage.jsp). This vulnerability allows unauthenticated attackers to send arbitrary HTTP requests from the vulnerable server, potentially leading to internal network scanning, sensitive data disclosure, and interaction with internal services.

Impact

JEEWMS ≤ v3.7

Details

The getRemoteImage.jsp file accepts a user-supplied URL parameter upfile and directly passes it to HttpURLConnection without any validation or sanitization. The only validation performed is checking if the response Content-Type header contains “image”, which can be easily bypassed.

File: src/main/webapp/plug-in/ueditor/jsp/getRemoteImage.jsp

  
  <%
      String url = request.getParameter("upfile");
      // ...
      String[] arr = url.split("ue_separate_ue");
      for(int i=0;i<arr.length;i++){
          // ...
          HttpURLConnection conn = (HttpURLConnection) new URL(arr[i]).openConnection();
          if(conn.getContentType().indexOf("image")==-1){
              state = "图片类型不正确!";
              continue;
          }
          // ...
          InputStream is = conn.getInputStream();
          // Download and save file
      }
  %>

PoC

<http://localhost:8081/jeewms/plug-in/ueditor/jsp/getRemoteImage.jsp?upfile=http://192.168.1.101:899/.jpg>

image.png

image.png