Path Traversal in yogeshojha/rengine


Reported on

Aug 31st 2021

✍️ Description

Local File Inclusion through Path Traversal

🕵️‍♂️ Proof of Concept

While logged in into a Rengine instance, go to /api/getFileContents/?nuclei_template&name=../../../../../../../../etc/passwd. The contents of /etc/passwd are included into the response.

💥 Impact

This vulnerability is capable of reading /proc/self/environ, exposing environment variables, including the Postgres password.


We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 10 months ago
Yogesh Ojha validated this vulnerability 10 months ago
Koen Molenaar has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
10 months ago


This is amazing! Good job.

Patch is on the way!

Yogesh Ojha confirmed that a fix has been merged on 171fab 10 months ago
Yogesh Ojha has been awarded the fix bounty
Yogesh Ojha
10 months ago


Good Job on finding this. Congratulations on your bounty!

to join this conversation