CVE-2024-44721
📋 TL;DR
SeaCMS v13.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the /admin_reslib.php file via the url parameter. This allows attackers to make arbitrary HTTP requests from the vulnerable server, potentially accessing internal systems or services. All SeaCMS v13.1 installations with the vulnerable component accessible are affected.
💻 Affected Systems
- SeaCMS
📦 What is this software?
Seacms by Seacms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot to internal networks, access cloud metadata services, perform port scanning, or interact with internal APIs to steal sensitive data or achieve remote code execution.
Likely Case
Attackers scan internal networks, access internal web applications, or interact with cloud metadata services to obtain credentials and escalate access.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to the web server's network segment and authorized external destinations.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable endpoint. The GitHub issue shows proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v13.2 or later
Vendor Advisory: https://github.com/seacms-net/CMS/issues/23
Restart Required: No
Instructions:
1. Download latest SeaCMS version from official repository. 2. Backup current installation. 3. Replace affected files with patched versions. 4. Verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to restrict URL parameter to allowed domains only
Modify /admin_reslib.php to validate url parameter against whitelist
Access Restriction
allRestrict access to /admin_reslib.php endpoint using web server configuration
# Apache: <Location /admin_reslib.php> Require ip 10.0.0.0/8 </Location>
# Nginx: location /admin_reslib.php { allow 10.0.0.0/8; deny all; }
🧯 If You Can't Patch
- Implement strict network egress filtering to limit outbound connections from web servers
- Deploy web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Test by sending HTTP request to /admin_reslib.php with url parameter pointing to internal service (e.g., http://169.254.169.254/) and checking responseCheck Version:
Check SeaCMS version in admin panel or read version fileVerify Fix Applied:
Attempt same test after patch - should receive error or be blocked📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /admin_reslib.php with url parameter
- Outbound connections from web server to internal IP ranges or unusual domains
Network Indicators:
- Web server making unexpected outbound HTTP requests
- Traffic from web server to cloud metadata endpoints (169.254.169.254, 100.100.100.200)
SIEM Query:
source="web_server" AND (uri="/admin_reslib.php" AND query_contains("url="))