Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

An unauthorized SSRF vulnerability in the designer page. #483

Open
T3qui1a opened this issue Nov 29, 2019 · 0 comments
Open

An unauthorized SSRF vulnerability in the designer page. #483

T3qui1a opened this issue Nov 29, 2019 · 0 comments

Comments

@T3qui1a
Copy link

T3qui1a commented Nov 29, 2019

In this part of source code, we find that users can make connection requests to any IP address.
image
Then we found that the designer page did not verify the access user's permission.
So we can directly implement the SSRF attack on this page to detect the database port of the intranet device.
image
image
When the database port is detected to be open, the page will respond to the database login failure.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant