- Status Closed
-
Assigned To
cbay - Private
Opened by rulebrekerz - 12.07.2026
Last edited by cbay - 13.07.2026
FS#401 - Critical SSRF via Application Script Source URI — Cross-Tenant Data Leak
Critical SSRF via Application Script Source URI — Cross-Tenant Data Leak
Severity: Critical
Target: admin.alwaysdata.com
Auth: Free-tier account (no special permissions)
Summary
The "Installation script source URI" field accepts internal URLs like `<REDACTED>`. The server fetches the URL from its own backend and stores the full response in the script field, readable by the attacker. No IP/port validation exists. This leaks other customers' data, internal server names, and full stack traces.
Steps to Reproduce
1. Log in to `https://admin.alwaysdata.com` (free account works)
2. Go to Web → Sites → Applications → Application scripts → Add 3. Fill required fields with any values. For Installation script enter:
#!/bin/bash site: type: custom echo installed
4. Set Installation script source URI to: `<REDACTED>`
5. Click Submit
6. Click the refresh/update icon next to the script (or visit `/site/application/script/<ID>/update_script/`)
7. Open the script edit page — the Installation script textarea now contains <REDACTED>.
Impact
- Cross-tenant data leak — read other customers' account names, domains, and operations
- Internal infrastructure mapping — server hostnames, paths, stack traces exposed
- Firewall bypass — requests come from the server itself, reaching localhost-only services
- No rate limit — can probe unlimited internal ports/services
- 147 MB exfiltrated in a single request with no size restriction
—
Thank You
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Can you confirm that the bug is fixed?
Kind regards,
Cyril
Dear Team,,
I have completed the retest, and I can confirm that the vulnerability has been successfully fixed.
Thank You
Thanks, you can open a support ticket to claim your bounty.
Hi,
We raised our support ticket→ https://admin.alwaysdata.com/support/94681/#bottom
thanks