Submeter #262620: Youke365 Youke365 ≤v1.5.3 SSRFinformação

TítuloYouke365 Youke365 ≤v1.5.3 SSRF
DescriçãoThe Youke365 platform, specifically its version up to 1.5.3, contains a blind Server-Side Request Forgery (SSRF) vulnerability within the /app/api/controller/collect.php file. This issue arises when a user-supplied 'url' parameter is improperly handled and passed to a cURL function, allowing an attacker to initiate requests to arbitrary URLs, including potentially sensitive internal services, as demonstrated by intercepting a custom 'gopher' protocol request on a listening server with the payload '_test123'.
Fonte⚠️ https://note.zhaoj.in/share/3jF3Xpl3ttlZ
Utilizador
 glzjin (UID 59815)
Submissão05/01/2024 04h07 (há 2 anos)
Moderação07/01/2024 21h01 (3 days later)
EstadoAceite
Entrada VulDB249871 [Youke365 até 1.5.3 collect.php url Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Might our Artificial Intelligence support you?

Check our Alexa App!