| शीर्षक | Youke365 Youke365 ≤v1.5.3 SSRF |
|---|
| विवरण | The Youke365 platform, specifically its version up to 1.5.3, contains a blind Server-Side Request Forgery (SSRF) vulnerability within the /app/api/controller/collect.php file. This issue arises when a user-supplied 'url' parameter is improperly handled and passed to a cURL function, allowing an attacker to initiate requests to arbitrary URLs, including potentially sensitive internal services, as demonstrated by intercepting a custom 'gopher' protocol request on a listening server with the payload '_test123'. |
|---|
| स्रोत | ⚠️ https://note.zhaoj.in/share/3jF3Xpl3ttlZ |
|---|
| उपयोगकर्ता | glzjin (UID 59815) |
|---|
| सबमिशन | 05/01/2024 04:07 AM (2 साल पहले) |
|---|
| संयम | 07/01/2024 09:01 PM (3 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 249871 [Youke365 तक 1.5.3 collect.php url अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|