Server-Side Request Forgery (SSRF) in prasathmani/tinyfilemanager

Valid

Reported on

Apr 16th 2021


✍️ Description

SSRF to access internal server

🕵️‍♂️ Proof of Concept

  1. goto http://localhost/tinyfilemanager/index.php?p=&upload and put internal serveer address and see it will fetch that file

#Video Poc https://drive.google.com/file/d/1dsTqvuQbGN619Gdncze4tuIH7MsonliT/view?usp=sharing

💥 Impact

ssrf to access internal network

Prasath Mani
a year ago

Maintainer


sdf

Prasath Mani
a year ago

Maintainer


Issue fixed https://github.com/prasathmani/tinyfilemanager/commit/a04567d3baaf5881d370d50e703fc3fbb8aebaeb

to join this conversation