You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Looking deeper initially I couldn't find it but then realized that my search was excluding the vendor/ directory. So this is coming from the Zend_Controller module. Here is another tip from 2016 - surprised this wasn't somehow patched already! https://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..)
Impact
The admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations.
Patches
The bug comes from the Zend library.
Workarounds
Unset the X-Original-Url header in the web server configuration.
References
https://hackerone.com/bugs?subject=openmage&report_id=3416312
Looking deeper initially I couldn't find it but then realized that my search was excluding the vendor/ directory. So this is coming from the Zend_Controller module. Here is another tip from 2016 - surprised this wasn't somehow patched already!
https://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..)
Credit
Anees Hyder (anees0x_dev) on HackerOne
https://hackerone.com/anees0x_dev/hacktivity?type=user