Improper Privilege Management in liukuo362573/yishaadmin

Valid

Reported on

Jan 22nd 2022


Description

Hi there yishaadmin maintainer team, I would like to report an improper privilege management in yishaadmin source code. The link /admin/ToolManage/Server/GetServerJson requires no authentication and accessible for everyone, which returns server info like RAM, CPU usage.

Proof of Concept

  1. Access the link http://106.14.124.170/admin/ToolManage/Server/GetServerJson without logging in to yishaadmin page
  2. See that the API returns data about server side information.

Impact

This vulnerability is capable of server side information disclosure.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. 4 months ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back 4 months ago
liukuo362573 validated this vulnerability 4 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 confirmed that a fix has been merged on 6ff260 4 months ago
The fix bounty has been dropped
to join this conversation