Local File Inclusion via JSON Component
A Local File Inclusion (LFI) vulnerability was identified in the JSON component of a web application, affecting versions 4.25 to 4.31.3. The issue, patched in version 4.31.4, allowed attackers to read local files by manipulating JSON input.
Available publicly on May 30 2024 | Available with Premium on May 21 2024
Threat Overview
The vulnerability stems from improper input validation in the JSON component's postprocess()
function, where user-controlled strings are parsed without adequate sanitization. This flaw enables attackers to inject a dictionary object with a path
key, leading to unauthorized file access. The application's handling of such objects in both postprocess_data()
and preprocess_data()
functions exacerbates the issue, as it inadvertently facilitates the movement of specified files to a temporary directory, from which they can be retrieved.
Attack Scenario
An attacker crafts a JSON payload containing a dictionary with a path
key pointing to a sensitive file. This payload is submitted to the vulnerable application, which then processes and moves the specified file to a temporary directory. The attacker subsequently accesses the moved file via a specially crafted request to the application's endpoint, achieving unauthorized read access to the file's contents.
Who is affected
Any user or system utilizing the affected versions of the web application for processing JSON input is at risk. This includes both end-users interacting with the application's interface and backend systems that rely on the application for JSON data handling.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.