This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 26204 - Local File Read via SSRF vulnerability in
Summary: Local File Read via SSRF vulnerability in
Status: NEW
Alias: None
Product: Validator
Classification: Unclassified
Component: Website (show other bugs)
Version: HEAD
Hardware: All All
: P2 critical
Target Milestone: ---
Assignee: This bug has no owner yet - up for the taking
QA Contact: qa-dev tracking
Depends on:
Reported: 2014-06-26 03:57 UTC by pnigos70
Modified: 2018-05-09 20:16 UTC (History)
1 user (show)

See Also:
jordancarrillo530: needinfo+

the content of passwd on w3 server (52.30 KB, image/png)
2014-06-26 03:57 UTC, pnigos70

Description pnigos70 2014-06-26 03:57:16 UTC
Created attachment 1488 [details]
the content of passwd on w3 server


I found a SSRF vulnerability in feed validator of w3,it can let attacker read arbitrary server file,do port scan and detect internal network.
People can provide a url and let feed validator to validate it.If we use file:///etc/passwd as url,the reponse will force to add http:// before our url and echo an error.

But we can use a redirect.php as a redirector.Use as url and this time i am able to read arbitrary file on the server.

I attached screenshots as proof of concept.

Tianqi Zhang