It looks like the entire class of bugs here are "if you have access to Posthog's... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		nightpool 6 days ago \| parent \| context \| favorite \| on: Inside PostHog: SSRF, ClickHouse SQL Escape and De... It looks like the entire class of bugs here are "if you have access to Posthog's admin dashboard, you can configure webhook URLs that hit Posthog's internal services". That's not particularly surprising for a self-hosted system like the author's, but I expect it would pretty bad if you were using their cloud-hosted product.

anothercat 6 days ago [–]

Ah of couse! I forgot about the cloud hosted option.

nightpool 5 days ago | [–]

In another comment, a Posthog security engineer mentions that this was resolved previously for their cloud-hosted product: https://news.ycombinator.com/item?id=46307696

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact