Issues » SSRF Vulnerability in RESTful ContentAPI

Issue: SI-29
Date: Nov 30, 2015, 10:00:00 AM
Severity: Low
Requires Admin Access: No
Fix Version: 3.3
Credit: Acunetix Security Scan

It is possible to force a remote dotCMS server to make an external request for a remote URL.

This does not constitute "critical" security flaws in dotCMS because the nature of a critical SSRF vulnerability is to either expose data from an internal file system or to be able to be used to probe remote servers and services that can be further exploited.  Both cases require that the results of remote call and the resulting XML object or status of the remote call is returned back to the attacker for inspection.  dotCMS never renders the resulting xml and instead throws an undifferentiated 500 exception, regardless of which vulnerability, url or protocol is used, valid or not. Nor does the attacker have any indication of the successful/unsuccessful result of the file or url call, which would be required to leverage these vectors to probe for further vulnerabilities.  At its worst, there is a chance that the vector could be used for some sort of DOS attack, but the rate of requests would be limited by how long the XML processing take,


Limit access to the /api/content endpoint to certain trusted IPs.

Or, use a web firewall rule to block any requests that specify:

Content-type: application/xml

in their request headers.