Pretty simple bug bounty example, but it was my first and I got a bit excited. I can’t name the company because disclosure hasn’t been granted, but it was from a bounty.
I’m not going to disclose the impacted URL, or the amount I’ve gotten for it either. I will however say that the issue has been resolved on their end so there’s no chance the URL I’ve reported can be used for the same attack. It’s been nuked. That all being the case, I’ve made a sort of recreation of the problem.
I’m mostly writing this blog post because I didn’t know the functionality existed and I’m sure a bunch of other developers also aren’t aware. Learn something new every day. It’s probably WebSec 101 but at least as far as PHP is concerned I fail to see the point of leaving this feature enabled.
There was a file somewhere on (Company)’s network that would load a URL specified by a parameter, and simply echo it’s contents.
Anyway, here is an example of what it would look like:
|PHP |||copy code |||?|
$ch = curl_init();
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => $_GET['url']));
$data = curl_exec($ch);