You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Nice job man (sorry for the english) !
On your demo site https://unblockvideos.com/ I found a SSRF failure. I don't know if it is the good place to share this but if you type http://localhost/server-status you can see the problem...
Filtering requested URLs through the proxy and disable Apache mod_status from localhost could be a good idea.
And with str_rot_pass() function in https://github.com/Athlon1600/php-proxy/blob/master/src/helpers.php, an attacker could compare a plain text request with the corresponding cyphertext returned by the proxy, and retrieving secret key (by substracting each chars). With this key he can create custom queries, for example launch a port scanning on localhost. You can for example append a HTAG in the proxied URLs.
The text was updated successfully, but these errors were encountered:
Nice job man (sorry for the english) !
On your demo site https://unblockvideos.com/ I found a SSRF failure. I don't know if it is the good place to share this but if you type http://localhost/server-status you can see the problem...
Filtering requested URLs through the proxy and disable Apache mod_status from localhost could be a good idea.
And with str_rot_pass() function in https://github.com/Athlon1600/php-proxy/blob/master/src/helpers.php, an attacker could compare a plain text request with the corresponding cyphertext returned by the proxy, and retrieving secret key (by substracting each chars). With this key he can create custom queries, for example launch a port scanning on localhost. You can for example append a HTAG in the proxied URLs.
The text was updated successfully, but these errors were encountered: