[Bug 26204] New: Local File Read via SSRF vulnerability in http://validator.w3.org/feed/ from bugzilla@jessica.w3.org on 2014-06-26 (www-validator-cvs@w3.org from June 2014)

From: <bugzilla@jessica.w3.org>
Date: Thu, 26 Jun 2014 03:57:16 +0000
To: www-validator-cvs@w3.org
Message-ID: <bug-26204-169@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26204

            Bug ID: 26204
           Summary: Local File Read via SSRF vulnerability in
                    http://validator.w3.org/feed/
           Product: Validator
           Version: HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Website
          Assignee: dave.null@w3.org
          Reporter: pnigos70@gmail.com
        QA Contact: www-validator-cvs@w3.org

Created attachment 1488
  --> https://www.w3.org/Bugs/Public/attachment.cgi?id=1488&action=edit
the content of passwd on w3 server

Hi,

I found a SSRF vulnerability in feed validator of w3,it can let attacker read
arbitrary server file,do port scan and detect internal network.
People can provide a url and let feed validator to validate it.If we use
file:///etc/passwd as url,the reponse will force to add http:// before our url
and echo an error.

But we can use a redirect.php as a redirector.Use
http://www.xxx.com/redirect.php?url=file:///etc/passwd as url and this time i
am able to read arbitrary file on the server.

I attached screenshots as proof of concept.

Regards,
Tianqi Zhang

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Thursday, 26 June 2014 03:57:17 UTC