Improper Authorization in liukuo362573/yishaadmin


Reported on

Jan 22nd 2022


Hi there yisshadmin team, I would like to report an improper authorization in yishaadmin source code. The link /admin/ToolManage/Server/ServerIndex requires no authorization and available for anyone to view server information like IP, RAM, CPU...

Proof of Concept

  1. Access the link without logging into yishaadmin demo
  2. See that the server returns very sensitive server side information.
  3. Here is a POC image


This vulnerability is capable of information disclosure.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. a year ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back a year ago
liukuo362573 validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 marked this as fixed in 3.1 with commit 6ff260 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation