| Title | 60IndexPage 60IndexPage ≤v1.8.5 SSRF |
|---|
| Description | The file /apply/index.php in the 60IndexPage System software version ≤v1.8.5, hosted at https://hao.lylme.com/, has been identified to contain a Pre-Authentication Blind Server Side Request Forgery (SSRF) vulnerability. This issue arises as the 'url' parameter accepted by the file is directly passed to the cURL function without proper sanitization, and only a superficial check for image extension is performed using pathinfo. This vulnerability allows an attacker to send arbitrary requests from the server to an external or internal network, potentially enabling unauthorized access to sensitive data or services. The vulnerability was confirmed by sending a test request using the gopher protocol and successfully receiving the response on the attacker's server. |
|---|
| Source | ⚠️ https://note.zhaoj.in/share/iNSyaClT0hGi |
|---|
| User | glzjin (UID 59815) |
|---|
| Submission | 01/19/2024 09:06 (2 years ago) |
|---|
| Moderation | 01/26/2024 13:44 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 252190 [60IndexPage up to 1.8.5 Parameter /apply/index.php url server-side request forgery] |
|---|
| Points | 20 |
|---|