LFI via URL-encoded Path Traversal in file Parameter
A Local File Inclusion (LFI) vulnerability was discovered in the latest version 3.83 of the software, allowing attackers to view arbitrary files on the host system through URL-encoded path traversal. The issue was reported privately and has not yet been patched.
Available publicly on Dec 30 2024
Threat Overview
The vulnerability arises from improper validation of the 'file' parameter, which is susceptible to path traversal attacks when URL encoding is used. This allows an attacker to escape the current directory and access sensitive files on the host system. The impact of this vulnerability is significant as it can expose critical application files, SSH keys, API keys, and configuration values, potentially leading to further exploitation and compromise of the system.
Attack Scenario
An attacker crafts a URL with a URL-encoded path traversal sequence in the 'file' parameter. When this URL is accessed, the server processes the request and returns the contents of the specified file. For example, accessing http://localhost:53880/file=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd would return the contents of the /etc/passwd file, exposing sensitive information.
Who is affected
Users running the latest version 3.83 of the software are affected by this vulnerability. This includes any deployments where the 'file' parameter is exposed and can be manipulated by an attacker.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.