Improper Privilege Management in liukuo362573/yishaadmin
Jan 22nd 2022
Hi there yishaadmin maintainer team, I would like to report an improper privilege management in yishaadmin source code.
/admin/ToolManage/Server/GetServerJson requires no authentication and accessible for everyone, which returns server info like RAM, CPU usage.
Proof of Concept
- Access the link
http://188.8.131.52/admin/ToolManage/Server/GetServerJsonwithout logging in to yishaadmin page
- See that the API returns data about server side information.
This vulnerability is capable of server side information disclosure.