This post is about how I and my friend got roughly 2500$ from Cafebazaar bug bounty program.
Init
During the recon phase, I enumerated the mailx.hezardastan.net host, the Cafebazaar’s webmail access. I conducted a port scanner:
Image for post
There were plenty of open ports. Among them, the Memcached port, 11211, was abnormal. After some basic tests, it revealed that:
There was no need to authenticate to communicate with port 11211
Email addresses were saved by Zimbra in the cache
There was the capability of adding/modifying/deleting the cache data
There was the capability of conducting a DDOS attack
However, I was looking for something more dangerous, file disclosure, remote command execution or etc.

#ssrf #bug-bounty #zimbra #web-app-security