Facebook Internal IP Disclosure - SSRF on Facebook

Durning the subdomain enumeration, I've got a subdomain which is : https://esbmbltest.thefacebook.com/

Which typically wasn't hosting anything.

Crawling the application, i figured out it is running "Oracle WebLogic UDDI Explorer"















Crawling or running dirb on the application will give the /uddiexplorer/ directory.
However, it has an option to search for Private Registry,
The UDDI Directory Explorer allows authorized users to publish Web services in private WebLogic Server UDDI registries and to modify information for previously published Web services.

However i was not an authorized user, but to fetch the deatils of private registry the appliaction will send a query to the internal system/server the IP was getting disclose within HTTP headers it was (192.168.1.103:8080)















This information can help an attacker to identify other vulnerabilities or it may help during the exploitation of other identified vulnerabilities, apart from that it disclose the information about the IP addressing scheme of the internal facebook network.

















However, facebook replied :
"The leak of an internal IP address is something we may fix, but we do not consider it a security vulnerability as it doesn't compromise the integrity of Facebook user data"













No Bounty was rewarded and the issue was closed on 26 August, hence i decided to disclose the bug.

However, on 11-12-2017 received mail from Facebook awarding 500$ for this bug, I started digging this and found someone continue this bug and found SSRF on Facebook.













 Thank you 
Dhiraj

0 coment�rios:

Post a Comment