Path Traversal in yogeshojha/rengine

Valid

Reported on

Aug 31st 2021

✍️ Description

Local File Inclusion through Path Traversal

🕵️‍♂️ Proof of Concept

While logged in into a Rengine instance, go to /api/getFileContents/?nuclei_template&name=../../../../../../../../etc/passwd. The contents of /etc/passwd are included into the response.

💥 Impact

This vulnerability is capable of reading /proc/self/environ, exposing environment variables, including the Postgres password.

Occurrences

views.py L54

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago

Yogesh Ojha validated this vulnerability 2 years ago

Koen Molenaar has been awarded the disclosure bounty

The fix bounty is now up for grabs

Yogesh Ojha

commented 2 years ago

Maintainer

This is amazing! Good job.

Patch is on the way!

Yogesh Ojha marked this as fixed with commit 171fab 2 years ago

Yogesh Ojha has been awarded the fix bounty

This vulnerability will not receive a CVE

Yogesh Ojha

commented 2 years ago

Maintainer

Good Job on finding this. Congratulations on your bounty!

to join this conversation

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago

Yogesh Ojha validated this vulnerability 2 years ago

Koen Molenaar has been awarded the disclosure bounty

The fix bounty is now up for grabs

Yogesh Ojha

commented 2 years ago

Maintainer

This is amazing! Good job.

Patch is on the way!

Yogesh Ojha marked this as fixed with commit 171fab 2 years ago

Yogesh Ojha has been awarded the fix bounty

This vulnerability will not receive a CVE

Yogesh Ojha

commented 2 years ago

Maintainer

Good Job on finding this. Congratulations on your bounty!

to join this conversation