This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Created attachment 1488 [details] the content of passwd on w3 server Hi, I found a SSRF vulnerability in feed validator of w3,it can let attacker read arbitrary server file,do port scan and detect internal network. People can provide a url and let feed validator to validate it.If we use file:///etc/passwd as url,the reponse will force to add http:// before our url and echo an error. But we can use a redirect.php as a redirector.Use http://www.xxx.com/redirect.php?url=file:///etc/passwd as url and this time i am able to read arbitrary file on the server. I attached screenshots as proof of concept. Regards, Tianqi Zhang