Jpress has a SSRF Vulnerability

Download the latest version and start it locally

![image](https://github.com/user-attachments/assets/65e384ad-4b04-4454-9ea6-562a16840f0f)
Replication process:
Login to the backend and create a new data source

![image](https://github.com/user-attachments/assets/0c797430-de77-4217-aa7e-137d9693e56f)
Select dynamic data source and add the ip of dnslog.

![image](https://github.com/user-attachments/assets/1b36e68a-9a1f-412e-93e8-9cb6e288a042)
After submitting, you can get the id from the queryDatasources route.

![image](https://github.com/user-attachments/assets/8f494a58-83ff-47ea-8e33-9e43a97e98ce)
Then use queryOptions route to trigger ssrf.

![image](https://github.com/user-attachments/assets/1e702248-da48-4142-b6fc-2425797d710f)
![image](https://github.com/user-attachments/assets/e6751b3e-9d3d-4d28-ae43-36505fa8c3c2)

Code Analysis:
Come to src/main/jsrf
src/main/java/io/jpress/module/form/controller/admin/_FormDatasourceController.java file
The queryDatasources route corresponds to the method that can be used to query the ids

![image](https://github.com/user-attachments/assets/0b44aaa1-04bf-497b-964a-90b025be1838)
If the data is dynamic, the method corresponding to the queryOptions route calls the proxy.start method.

![image](https://github.com/user-attachments/assets/fb064e25-a9e5-4a2b-89be-dfb56ba0f3e8)
Finally, the doSendRequest method is called to trigger the ssrf.

![image](https://github.com/user-attachments/assets/3f57dd47-a897-4627-b251-ff722f1a954d)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Jpress has a SSRF Vulnerability #190

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Jpress has a SSRF Vulnerability #190

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions