26204 – Local File Read via SSRF vulnerability in http://validator.w3.org/feed/

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 26204 - Local File Read via SSRF vulnerability in http://validator.w3.org/feed/

Summary: Local File Read via SSRF vulnerability in http://validator.w3.org/feed/

Status:	NEW

Alias:	None

Product:	Validator
Classification:	Unclassified
Component:	Website (show other bugs)
Version:	HEAD
Hardware:	All All

Importance:	P2 critical
Target Milestone:	---
Assignee:	This bug has no owner yet - up for the taking
QA Contact:	qa-dev tracking

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-06-26 03:57 UTC by pnigos70
Modified:	2018-05-09 20:16 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	jordancarrillo530: needinfo+

Attachments
the content of passwd on w3 server (52.30 KB, image/png) 2014-06-26 03:57 UTC, pnigos70	Details

Description pnigos70 2014-06-26 03:57:16 UTC

Created attachment 1488 [details]
the content of passwd on w3 server

Hi,

I found a SSRF vulnerability in feed validator of w3,it can let attacker read arbitrary server file,do port scan and detect internal network.
People can provide a url and let feed validator to validate it.If we use file:///etc/passwd as url,the reponse will force to add http:// before our url and echo an error.

But we can use a redirect.php as a redirector.Use http://www.xxx.com/redirect.php?url=file:///etc/passwd as url and this time i am able to read arbitrary file on the server.

I attached screenshots as proof of concept.

Regards,
Tianqi Zhang