DoraCMS 3.1 Security Report SSRF (Responsible Disclosure) Report Title SSRF via UEditor Remote Image Fetch (catcher/catchImage) Product DoraCMS 3.1 Date 2026-02-10 Scope Source-code review of DoraCMS 3.1 server-side codebase --- 1. Executive Summary DoraCMS 3.1 includes a Server-Side Request Forgery (SSRF) weakness in its UEditor integration. DoraCMS exposes UEditor endpoints under the upload module, and the UEditor "remote image catcher" action triggers server-side fetching of user-supplied URLs via / without destination restrictions, resource safety controls, or any form of URL parsing/validation. --- 2. Context: UEditor in DoraCMS is used for File Upload DoraCMS integrates UEditor for file upload functionality, handled by the controller. --- 3. Vulnerability Overview 3.1 Title Server-Side Request Forgery (SSRF) via UEditor Remote Image Fetch (catchImage) 3.2 Severity High 3.3 OWASP Mapping OWASP Top 10 (2021): A10 – Server-Side Request Forgery (SSRF) Secondary: A05 – Security Misconfiguration (if endpoint is publicly reachable; depends on deployment) 3.4 Affected Versions Confirmed in DoraCMS 3.1 (source-level confirmation) --- 4. Affected Endpoints & Components 4.1 Routes File: GET POST Note: These UEditor routes are not protected by in . 4.2 Vulnerable Function File: Function: Accepts a URL from client input. Performs server-side HTTP(S) request using the provided URL. Buffers the full response into memory as base64. Saves content to a public upload directory. --- 5. Technical Details 5.1 Root Cause Untrusted user input (remote URL) is used directly in server-side HTTP request functions without proper validation or controls, creating an SSRF request primitive. 5.2 Code Evidence (Request Primitive) Key security gaps: No URL parsing/validation No allowlist of domains/hosts No checks against RFC1918/loopback ranges No DNS rebound defense No timeout on requests No max download size limits No redirect policy 5.3 Call Chain (UEditor "remote catcher" action) 1. Router routes request to 2. checks 3. For the catcher action: - Reads URLs from - Calls - Persists fetched content to a public directory - Returns a JSON list of results --- 6. Impact Assessment This SSRF weakness can enable: 1. Outbound requests to attacker-chosen destinations. 2. Access to internal-only services (pivoting). 3. Potential data exposure through persisted content. 4. Denial of Service due to lack of timeout/response size limits. --- 7. Reproduction / Verification (Safe Guidance) To validate in a test environment: 1. Set up a controlled HTTP endpoint. 2. Invoke with a controlled URL. 3. Confirm the endpoint receives a request from the DoraCMS server. 4. Confirm a file is created in the public upload directory. --- 8. Recommendations 8.1 Preferred: Allowlist of Trusted Hosts Restrict remote fetching to known domains. Reject IP-literal URLs unless explicitly required. --- 9. External Reference (Similar Vulnerability Class) This issue matches a well-known SSRF pattern in UEditor "catchimage/catcher" implementations. End of Report