Path Traversal in yogeshojha/rengine

Valid

Reported on

Aug 31st 2021

✍️ Description

Local File Inclusion through Path Traversal

🕵️‍♂️ Proof of Concept

While logged in into a Rengine instance, go to /api/getFileContents/?nuclei_template&name=../../../../../../../../etc/passwd. The contents of /etc/passwd are included into the response.

💥 Impact

This vulnerability is capable of reading /proc/self/environ, exposing environment variables, including the Postgres password.

Occurrences

views.py L54

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 10 months ago

Yogesh Ojha validated this vulnerability 10 months ago

Koen Molenaar has been awarded the disclosure bounty

The fix bounty is now up for grabs

Yogesh Ojha

commented 10 months ago

Maintainer

This is amazing! Good job.

Patch is on the way!

Yogesh Ojha confirmed that a fix has been merged on 171fab 10 months ago

Yogesh Ojha has been awarded the fix bounty

Yogesh Ojha

commented 10 months ago

Maintainer

Good Job on finding this. Congratulations on your bounty!

to join this conversation

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 10 months ago

Yogesh Ojha validated this vulnerability 10 months ago

Koen Molenaar has been awarded the disclosure bounty

The fix bounty is now up for grabs

Yogesh Ojha

commented 10 months ago

Maintainer

This is amazing! Good job.

Patch is on the way!

Yogesh Ojha confirmed that a fix has been merged on 171fab 10 months ago

Yogesh Ojha has been awarded the fix bounty

Yogesh Ojha

commented 10 months ago

Maintainer

Good Job on finding this. Congratulations on your bounty!

to join this conversation