search

ethercreative / seo

SEO utilities including a unique field type, sitemap & redirect manager
MIT License
269 stars 96 forks source link

Possible remote file inclusion #454

Closed mariohammel closed 1 year ago

mariohammel commented 1 year ago

Description

Our hosting provider sends us a information about a RFI Exploit [P1419] on our webpage. I found the following snipped in a cached file (Craft Template Caching):

<meta property="og:url" content="https://example.com/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f../etc/passwd" />   
<meta name="twitter:url" content="https://example.com/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f../etc/passwd" />   
<link rel="canonical" href="https://dextra.ch/../../../../../../../../../../../../etc/passwd">

Is it possible to validate such parameters?

Steps to reproduce

  1. Open the craft website with the following query param: https://example.com?p=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd
  2. View the page source.

Additional info