Two CVEs, Zero Ego A Mailpit Story #1748
Open
+27
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://rosecurify.com/two-cves-zero-ego-a-mailpit-story/ Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> SSRF (Server Side Request Forgery) (add/expand: SSRF via URL-fetch/proxy endpoints, include IMDS 169.254.169.254 example) and Pentesting Web -> WebSocket Attacks (add/expand: Cross-Site WebSocket Hijacking / Origin check bypass in Gorilla WebSocket CheckOrigin + no-auth impact)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title: Two CVEs, Zero Ego: A Mailpit Story
Context: what Mailpit is and why it matters
Mailpit is a lightweight email testing tool for development environments. It runs an SMTP server to catch inbound emails and exposes a web interface/API to view them. It is written in Go, distributed as a single binary, and is commonly run locally or via Docker. Because it captures sensitive emails (password resets, verification codes, magic links, tokens), any exposure of its HTTP/W...
🔧 Technical Details
SSRF via “proxy URL fetch” endpoints: If an application exposes an endpoint that fetches arbitrary URLs (e.g.,
/api/v1/proxy?url=...) and does not strictly validate destinations (allowlist approved hosts/schemes and block internal/link-local ranges), an attacker can coerce the server into making requests from its own network context. A common high-impact target in cloud environments is AWS IMDS athttp://169.254.169.254/latest/meta-data/, which can expose internal metadata and sometimes credentials, enabling follow-on compromise and lateral movement.Cross-Site WebSocket Hijacking from permissive Origin validation: If a WebSocket server disables origin checks (e.g., Gorilla WebSocket
Upgrader.CheckOriginalways returnstrue), attacker-controlled websites can run JavaScript that opens cross-site WebSocket connections to a target. If the WebSocket channel lacks authentication/authorization, this enables cross-site...🤖 Agent Actions
Updated HackTricks with Mailpit-derived techniques:
CheckOriginalways-true misconfiguration leading to cross-site hijacking without auth, with exploitation snippet and mitigations; added blog reference.Tests were not run (documentation-only changes).
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.