Improper Authorization in liukuo362573/yishaadmin
Jan 22nd 2022
Hi there yisshadmin team, I would like to report an improper authorization in yishaadmin source code.
/admin/ToolManage/Server/ServerIndex requires no authorization and available for anyone to view server information like IP, RAM, CPU...
Proof of Concept
- Access the link
http://184.108.40.206/admin/ToolManage/Server/ServerIndexwithout logging into yishaadmin demo
- See that the server returns very sensitive server side information.
- Here is a POC image
This vulnerability is capable of information disclosure.
We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. a year ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back a year ago
liukuo362573 validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 marked this as fixed in 3.1 with commit 6ff260 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation