[CVE-2020-11110] What really happened in Grafana code?
About the CVE there is an Exploit written by @ serWazito0 , and Ahmed Sherif who found the finding. So there is an Exploit so what we will do in this blog?? No, I like coding and code review so I downloaded the vulnerable version from here and start searching for the vulnerable parts of the code. The exploit sending a payload to an endpoint called [ /api/snapshots ] after some search in the project files I found file [ ShareSnapshotCtrl.ts ] in this path [ grafana-6.2.5\public\app\features\dashboard\components\ShareModal ] and btw it is written in TypeScript. After reading the [ ShareSnapshotCtrl ] file you can notice that it control the JSON Body of the POST request which vulnerable, our scope is [ originalUrl ] parameter Now we know where is the parameter, what is next? the endpoint is creating a Key and to execute the vulnerability we open the link from the response which send get request to this endpoint [ dashboard/snapshot/KEY ] after taking a look at the routes it takes this s...