Path Traversal in yogeshojha/rengine


Reported on

Aug 31st 2021

✍️ Description

Local File Inclusion through Path Traversal

🕵️‍♂️ Proof of Concept

While logged in into a Rengine instance, go to /api/getFileContents/?nuclei_template&name=../../../../../../../../etc/passwd. The contents of /etc/passwd are included into the response.

💥 Impact

This vulnerability is capable of reading /proc/self/environ, exposing environment variables, including the Postgres password.


We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago
Yogesh Ojha validated this vulnerability 2 years ago
Koen Molenaar has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
2 years ago


This is amazing! Good job.

Patch is on the way!

Yogesh Ojha marked this as fixed with commit 171fab 2 years ago
Yogesh Ojha has been awarded the fix bounty
This vulnerability will not receive a CVE
Yogesh Ojha
2 years ago


Good Job on finding this. Congratulations on your bounty!

to join this conversation