CVE-2022-27429
📋 TL;DR
Jizhicms v1.9.5 contains a Server-Side Request Forgery (SSRF) vulnerability in the /admin.php/Plugins/update.html endpoint. This allows attackers to make the server send unauthorized requests to internal systems. All users running Jizhicms v1.9.5 with the vulnerable endpoint accessible are affected.
💻 Affected Systems
- Jizhicms
📦 What is this software?
Jizhicms by Jizhicms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot to internal networks, access cloud metadata services, perform port scanning, or interact with internal APIs to steal sensitive data or execute further attacks.
Likely Case
Attackers scan internal networks, access internal web services, or interact with cloud metadata to obtain credentials and escalate privileges.
If Mitigated
With proper network segmentation and access controls, impact is limited to the web server itself with minimal data exposure.
🎯 Exploit Status
Exploitation requires access to the admin endpoint. SSRF vulnerabilities are commonly weaponized due to their versatility in internal network attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.9.6 or later
Vendor Advisory: https://github.com/Cherry-toto/jizhicms/issues/67
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download the latest version from the official repository. 3. Replace the vulnerable files with patched versions. 4. Verify the update by checking the version.
🔧 Temporary Workarounds
Restrict Access to Admin Endpoint
allBlock external access to /admin.php/Plugins/update.html using web server configuration or firewall rules.
# Apache: <Location /admin.php/Plugins/update.html> Require ip 192.168.1.0/24 </Location>
# Nginx: location /admin.php/Plugins/update.html { deny all; }
Network Segmentation
allIsolate the Jizhicms server from internal networks to limit SSRF impact.
🧯 If You Can't Patch
- Implement strict outbound firewall rules to block the server from accessing internal services except necessary ones.
- Use a web application firewall (WAF) with SSRF protection rules to block malicious requests.
🔍 How to Verify
Check if Vulnerable:
Check if accessing /admin.php/Plugins/update.html with a malicious URL parameter causes the server to make external requests. Use controlled testing only.Check Version:
Check the CMS version in the admin panel or look for version files in the installation directory.Verify Fix Applied:
After patching, test the same endpoint with SSRF payloads to confirm requests are blocked or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound requests from the web server to internal IPs or domains
- Multiple requests to /admin.php/Plugins/update.html with URL parameters
Network Indicators:
- Web server making unexpected connections to internal services or cloud metadata endpoints
SIEM Query:
source="web_server_logs" AND uri="/admin.php/Plugins/update.html" AND (query CONTAINS "http://" OR query CONTAINS "https://")