Open liquidsec opened 3 years ago
Hi liquidsec, can you give a PoC of this ? I'm pentester too, and my client is using it.
I am a pentester, test.php produced an arbitrary file read vulnerability for one of my clients. We were able to read files all over the filesystem and gained access to sensitive keys, source code, etc by using directory traversal characters with the File parameter. Contents of the file get chopped into arrays but are nonetheless present.
Can confirm this. The "File" parameter can be altered to point to arbitrary locations even outside of the applications scope.
The vulnerability got officially registered under CVE-2023-29887 🐞
I am a pentester, test.php produced an arbitrary file read vulnerability for one of my clients. We were able to read files all over the filesystem and gained access to sensitive keys, source code, etc by using directory traversal characters with the File parameter. Contents of the file get chopped into arrays but are nonetheless present.