Path Traversal in yogeshojha/rengine


Reported on

Aug 31st 2021

✍️ Description

Local File Inclusion through Path Traversal

🕵️‍♂️ Proof of Concept

While logged in into a Rengine instance, go to /api/getFileContents/?nuclei_template&name=../../../../../../../../etc/passwd. The contents of /etc/passwd are included into the response.

💥 Impact

This vulnerability is capable of reading /proc/self/environ, exposing environment variables, including the Postgres password.


We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 3 months ago
Yogesh Ojha validated this vulnerability 3 months ago
Koen Molenaar has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
3 months ago


This is amazing! Good job.

Patch is on the way!

Yogesh Ojha confirmed that a fix has been merged on 171fab 3 months ago
Yogesh Ojha has been awarded the fix bounty
Yogesh Ojha
3 months ago


Good Job on finding this. Congratulations on your bounty!