Path Traversal in yogeshojha/rengine
Reported on
Aug 31st 2021
✍️ Description
Local File Inclusion through Path Traversal
🕵️♂️ Proof of Concept
While logged in into a Rengine instance, go to /api/getFileContents/?nuclei_template&name=../../../../../../../../etc/passwd
. The contents of /etc/passwd
are included into the response.
💥 Impact
This vulnerability is capable of reading /proc/self/environ
, exposing environment variables, including the Postgres password.
Occurrences
Good Job on finding this. Congratulations on your bounty!