- From: <bugzilla@jessica.w3.org>
- Date: Thu, 26 Jun 2014 03:57:16 +0000
- To: www-validator-cvs@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26204 Bug ID: 26204 Summary: Local File Read via SSRF vulnerability in http://validator.w3.org/feed/ Product: Validator Version: HEAD Hardware: All OS: All Status: NEW Severity: critical Priority: P2 Component: Website Assignee: dave.null@w3.org Reporter: pnigos70@gmail.com QA Contact: www-validator-cvs@w3.org Created attachment 1488 --> https://www.w3.org/Bugs/Public/attachment.cgi?id=1488&action=edit the content of passwd on w3 server Hi, I found a SSRF vulnerability in feed validator of w3,it can let attacker read arbitrary server file,do port scan and detect internal network. People can provide a url and let feed validator to validate it.If we use file:///etc/passwd as url,the reponse will force to add http:// before our url and echo an error. But we can use a redirect.php as a redirector.Use http://www.xxx.com/redirect.php?url=file:///etc/passwd as url and this time i am able to read arbitrary file on the server. I attached screenshots as proof of concept. Regards, Tianqi Zhang -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Thursday, 26 June 2014 03:57:17 UTC