ProcessWire CMS SSRF Vulnerability Summary Vulnerability Overview A Server-Side Request Forgery (SSRF) vulnerability exists in the admin panel of ProcessWire CMS (v3.0.255). The flaw is located in the module installation feature, allowing authenticated administrators to initiate HTTP requests to arbitrary URLs via the “Add Module From URL” function. Key Characteristics: Vulnerability Type: Server-Side Request Forgery (SSRF) Severity: Medium-High Exploitation Requirement: Administrator privileges required (Authentication Required: Yes) Exploitation Method: By crafting specific URL requests, the server returns detailed error messages (Verbose Error Disclosure), enabling distinction between “open/reachable” and “closed/unreachable” target hosts, thereby achieving internal network port scanning. Impact Scope Affected Component: Admin Panel -> Modules -> Add Module From URL Affected Version: ProcessWire 3.0.255 Prerequisite: The feature must first be enabled in (disabled by default): Remediation Measures 1. Default Disable: Keep set to (default state). 2. Disable in Production: Do not enable the “Add Module From URL” feature in production environments. 3. Access Control: Ensure only trusted administrators can access the module management interface. 4. Input Validation: If the feature must be enabled, strictly validate input URLs against a whitelist, restricting access to specific, trusted module sources only. 5. Error Message Handling: Avoid returning detailed server-side error information to users to prevent information leakage that could aid attacks. POC / Exploit Code Enable Vulnerable Feature Configuration ( ): Exploitation Steps (No code needed, performed via Web UI): 1. Log in to the ProcessWire admin backend. 2. Navigate to Modules -> New -> Add Module From URL. 3. Enter the target URL in the "Module ZIP file URL" field. Test Cases and Results: Test 1: Internally Reachable Host ( ) Input URL: Result: Server successfully initiates request, returns error . Conclusion: Port is open and reachable, but content is not a valid ZIP file. Error code 19 serves as an indicator of a reachable host. Test 2: Nonexistent External Host ( ) Input URL: Result: Returns detailed DNS resolution failure error: Conclusion: DNS resolution failed, host is unreachable. Detailed error message is an indicator of an unreachable host. Test 3: Valid External Host ( ) Input URL: Result: Server successfully makes outbound request, returns error (content is not a ZIP file). Conclusion:** Confirms the server can initiate external requests.