Path Traversal in yogeshojha/rengine

Valid

Reported on

Aug 31st 2021


✍️ Description

Local File Inclusion through Path Traversal

🕵️‍♂️ Proof of Concept

While logged in into a Rengine instance, go to /api/getFileContents/?nuclei_template&name=../../../../../../../../etc/passwd. The contents of /etc/passwd are included into the response.

💥 Impact

This vulnerability is capable of reading /proc/self/environ, exposing environment variables, including the Postgres password.

Occurrences

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 10 months ago
Yogesh Ojha validated this vulnerability 10 months ago
Koen Molenaar has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
10 months ago

Maintainer


This is amazing! Good job.

Patch is on the way!

Yogesh Ojha confirmed that a fix has been merged on 171fab 10 months ago
Yogesh Ojha has been awarded the fix bounty
Yogesh Ojha
10 months ago

Maintainer


Good Job on finding this. Congratulations on your bounty!

to join this conversation