Vulnerability Summary

Field Value
Product go-fastdfs-web
Vendor Perfree
Affected Version v1.3.7 and prior
Vulnerability Type CWE-918: Server-Side Request Forgery (SSRF)
Impact Unauthorized Access to Internal Resources, Sensitive Data Exposure
CVSS v3.1 Score 8.6 (High)
CVSS Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged

1. Product Description

go-fastdfs-web is a web-based management interface for go-fastdfs, a distributed file system. It provides installation and configuration capabilities for managing file storage clusters.

2. Vulnerability Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the installation endpoint of go-fastdfs-web. The /install/checkServer endpoint accepts a user-supplied URL parameter (serverAddress) and makes an HTTP request to validate the server without properly validating whether the target is an internal/protected resource.

This vulnerability allows unauthenticated attackers to:

  1. Scan internal networks and discover internal services
  2. Access cloud metadata services (AWS, GCP, Azure, etc.)
  3. Read internal files via file:// protocol (if supported)
  4. Bypass network segmentation and firewalls
  5. Potentially access sensitive internal APIs

image.png

2.1 Critical Factor: Authentication Bypass

The vulnerability is particularly severe because the /install/** endpoints are configured to allow anonymous access without authentication:

File: src/main/java/com/perfree/config/ShiroConfig.java

Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
filterChainDefinitionMap.put("/install", "anon");
filterChainDefinitionMap.put("/install/**", "anon");  // No authentication required!

3. Technical Details

3.1 Vulnerable Code Location

File: src/main/java/com/perfree/controller/InstallController.javaMethod: checkServer()Lines: 92-119