| Title | diyhi bbs 6.8 Server-Side Request Forgery |
|---|
| Description | In the bbs project, the /admin/login POST endpoint constructs a request URL by concatenating user‑controlled HTTP request attributes—namely request.getScheme(), request.getServerName(), request.getServerPort() and request.getContextPath(). Because request.getServerName() is derived from the incoming Host header, an attacker can supply an arbitrary hostname (and port), causing the application to make backend HTTP requests to attacker‑controlled or otherwise unauthorized targets.
Project Link: https://github.com/diyhi/bbs
Affected Version: 6.8
Affected API: /admin/login
Code Location: /src/main/java/cms/web/action/AdminManageAction.java:213 |
|---|
| Source | ⚠️ https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250618-02.md |
|---|
| User | ShenxiuSecurity (UID 84374) |
|---|
| Submission | 06/18/2025 11:10 (12 months ago) |
|---|
| Moderation | 06/27/2025 07:23 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 314073 [diyhi bbs up to 6.8 HTTP Header /admin/login getUrl Host server-side request forgery] |
|---|
| Points | 20 |
|---|