Improper Authorization in liukuo362573/yishaadmin

Valid

Reported on

Jan 22nd 2022

Description

Hi there yisshadmin team, I would like to report an improper authorization in yishaadmin source code. The link /admin/ToolManage/Server/ServerIndex requires no authorization and available for anyone to view server information like IP, RAM, CPU...

Proof of Concept

  1. Access the link http://106.14.124.170/admin/ToolManage/Server/ServerIndex without logging into yishaadmin demo
  2. See that the server returns very sensitive server side information.
  3. Here is a POC image https://drive.google.com/file/d/1cR_lUzBRTdkCMU5q2C5szRX3P1IbSPG6/view?usp=sharing

Impact

This vulnerability is capable of information disclosure.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. a year ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back a year ago
liukuo362573 validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 marked this as fixed in 3.1 with commit 6ff260 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation