Improper Authorization in liukuo362573/yishaadmin

Valid

Reported on

Jan 22nd 2022


Description

Hi there yisshadmin team, I would like to report an improper authorization in yishaadmin source code. The link /admin/ToolManage/Server/ServerIndex requires no authorization and available for anyone to view server information like IP, RAM, CPU...

Proof of Concept

  1. Access the link http://106.14.124.170/admin/ToolManage/Server/ServerIndex without logging into yishaadmin demo
  2. See that the server returns very sensitive server side information.
  3. Here is a POC image https://drive.google.com/file/d/1cR_lUzBRTdkCMU5q2C5szRX3P1IbSPG6/view?usp=sharing

Impact

This vulnerability is capable of information disclosure.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. 4 months ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back 4 months ago
liukuo362573 validated this vulnerability 4 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 confirmed that a fix has been merged on 6ff260 4 months ago
The fix bounty has been dropped
to join this conversation