joshdick / miniProxy

🚨⚠️ UNMAINTAINED! ⚠️🚨 A simple PHP web proxy.
http://joshdick.github.io/miniProxy
GNU General Public License v3.0
860 stars 544 forks source link

SSRF exploit discovered possibly #144

Closed devcoinfet closed 4 years ago

devcoinfet commented 4 years ago

https://example.com/miniProxy.php?127.0.0.1:80/cpanel

this is a problem as it allows an attacker access to your system if you had a rule in place that stopped the attacker from remotely getting to the cpanel directory this type of attack could be used to proxy ones self to the internal network or device of the server running it by using it as the proxy

joshdick commented 4 years ago

This is a great point. Thanks for the report!

What do you think about #146 as a fix for this issue?