This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 26204 - Local File Read via SSRF vulnerability in http://validator.w3.org/feed/
Summary: Local File Read via SSRF vulnerability in http://validator.w3.org/feed/
Status: NEW
Alias: None
Product: Validator
Classification: Unclassified
Component: Website (show other bugs)
Version: HEAD
Hardware: All All
: P2 critical
Target Milestone: ---
Assignee: This bug has no owner yet - up for the taking
QA Contact: qa-dev tracking
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-26 03:57 UTC by pnigos70
Modified: 2018-05-09 20:16 UTC (History)
1 user (show)

See Also:
jordancarrillo530: needinfo+


Attachments
the content of passwd on w3 server (52.30 KB, image/png)
2014-06-26 03:57 UTC, pnigos70
Details

Description pnigos70 2014-06-26 03:57:16 UTC
Created attachment 1488 [details]
the content of passwd on w3 server

Hi,

I found a SSRF vulnerability in feed validator of w3,it can let attacker read arbitrary server file,do port scan and detect internal network.
People can provide a url and let feed validator to validate it.If we use file:///etc/passwd as url,the reponse will force to add http:// before our url and echo an error.

But we can use a redirect.php as a redirector.Use http://www.xxx.com/redirect.php?url=file:///etc/passwd as url and this time i am able to read arbitrary file on the server.

I attached screenshots as proof of concept.

Regards,
Tianqi Zhang