Arbitrary file read vulnerability

[liquidsec]

I am a pentester, test.php produced an arbitrary file read vulnerability for one of my clients. We were able to read files all over the filesystem and gained access to sensitive keys, source code, etc by using directory traversal characters with the File parameter. Contents of the file get chopped into arrays but are nonetheless present.

[americo]

Hi liquidsec, can you give a PoC of this ?
I'm pentester too, and my client is using it.

[RonnyDo]

I am a pentester, test.php produced an arbitrary file read vulnerability for one of my clients. We were able to read files all over the filesystem and gained access to sensitive keys, source code, etc by using directory traversal characters with the File parameter. Contents of the file get chopped into arrays but are nonetheless present.

Can confirm this. The "File" parameter can be altered to point to arbitrary locations even outside of the applications scope.

[RonnyDo]

The vulnerability got officially registered under CVE-2023-29887 🐞