This simply describes a bypass for report at https://hackerone.com/reports/243865, using a decimal notation encoded IP address (0177.0.0.1
) currently bypasses the limitations in place for localhost.
crayons (re-submitting report including “magic” string)
Concrete5 version used is 8.5.2
Interacting with local services, impact may vary depending on services actually exposed.