LFI / Path Traversal allows attacker to read any file in the working directory in szabodanika/microbin
Jul 14th 2022
The file upload functionality allows a user to attach a file to a paste. When an attacker views the attached file he can alter the path (e.g. via burpsuit) and read any file in the working directory via the relative path. This also accounts for private pastes. The attacker needs information on the file name, however the database.json file is always located at ../database.json and contains information on all pastes. This can cause the application data to be compromised.
To fix this, filtering out the dots should be enough.
Proof of Concept
Use burp to intercept the GET Request to /file/foo-bar-test/file.txt and change it to /file/../database.json This will get the file contents of the database.
Reveal any data within the servers working directory.