mailtrain

vulnerability path traversal (local file read)
severity 8.8
language javascript
registry other

✍️ Description

A path traversal (also known as directory traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

🕵️‍♂️ Proof of Concept

  1. Setup Mailtrain quickly with docker as shown here - https://github.com/Mailtrain-org/mailtrain/#quick-start---deploy-with-docker
  2. Visit http://localhost:3000/reports/create
  3. Add GET parameter layout to this URL and the value should be the relative path of local file to read.
  4. Eg: http://localhost:3000/reports/create?layout=../../etc/resolv.conf

PoC video - https://drive.google.com/file/d/1g6VOHP2OnGqlpuuLE2Vv-6za0WuJ27z4/view?usp=sharing Write-up - https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/

💥 Impact

An attacker is capable of reading any file on the server's file system.