Server-Side Request Forgery (SSRF) in prasathmani/tinyfilemanager
Valid
Reported on
Apr 16th 2021
✍️ Description
SSRF to access internal server
🕵️♂️ Proof of Concept
- goto http://localhost/tinyfilemanager/index.php?p=&upload and put internal serveer address and see it will fetch that file
#Video Poc https://drive.google.com/file/d/1dsTqvuQbGN619Gdncze4tuIH7MsonliT/view?usp=sharing
💥 Impact
ssrf to access internal network
Issue fixed https://github.com/prasathmani/tinyfilemanager/commit/a04567d3baaf5881d370d50e703fc3fbb8aebaeb
to join this conversation