CVE-2025-50234 Information

Aug 07, 2025 cve

Description

MCCMS v2.7.0 has an SSRF vulnerability located in the index() method of the sys\apps\controllers\api\Gf.php file where the pic parameter is processed. The pic parameter is decrypted using the sys_auth($pic 1) function which utilizes a hard-coded key Mc_Encryption_Key (bD2voYwPpNuJ7B8) defined in the db.php file. The decrypted URL is passed to the geturl() method which uses cURL to make a request to the URL without proper security checks. An attacker can craft a malicious encrypted pic parameter which when decrypted points to internal addresses or local file paths (such as http://127.0.0.1 or file://). By using the file:// protocol the attacker can access arbitrary files on the local file system (e.g. file:///etc/passwd file:///C:/Windows/System32/drivers/etc/hosts) allowing them to read sensitive configuration files log files and more leading to information leakage or system exposure. The danger of this SSRF vulnerability includes accessing internal services and local file systems through protocols like http:// ftp:// and file:// which can result in sensitive data leakage remote code execution privilege escalation or full system compromise severely affecting the system’s security and stability.

Reference

https://github.com/xiaoyangsec/mccms/blob/main/MCCMS-SSRF.md MCCMS v2.7.0 has an SSRF vulnerability located in the index() method of the sys\apps\controllers\api\Gf.php file where the pic parameter is processed. The pic parameter is decrypted using the sys_auth($pic 1) function which utilizes a hard-coded key Mc_Encryption_Key (bD2voYwPpNuJ7B8) defined in the db.php file. The decrypted URL is passed to the geturl() method which uses cURL to make a request to the URL without proper security checks. An attacker can craft a malicious encrypted pic parameter which when decrypted points to internal addresses or local file paths (such as http://127.0.0.1 or file://). By using the file:// protocol the attacker can access arbitrary files on the local file system (e.g. file:///etc/passwd file:///C:/Windows/System32/drivers/etc/hosts) allowing them to read sensitive configuration files log files and more leading to information leakage or system exposure. The danger of this SSRF vulnerability includes accessing internal services and local file systems through protocols like http:// ftp:// and file:// which can result in sensitive data leakage remote code execution privilege escalation or full system compromise severely affecting the system’s security and stability.

CNNVD-202508-595 (Published: 2025-08-06)

Share on: