Path Traversal in alanaktion/mchostpanel


Reported on

Sep 5th 2021

✍️ Description

A Path Traversal vulnerability was identified in Minecraft server control panel which allows an attacker to access arbitrary user resources.

🕵️‍♂️ Proof of Concept

POST /ajax.php HTTP/1.1
Host: localhost:8080
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 45
Content-Type: application/x-www-form-urlencoded


💥 Impact

This issue may lead to unauthorized access to local file (information) disclosure.


We have contacted a member of the alanaktion/mchostpanel team and are waiting to hear back 3 months ago
Alan Hardman validated this vulnerability 3 months ago
Dwi Siswanto has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman confirmed that a fix has been merged on 27d5a9 3 months ago
Alan Hardman has been awarded the fix bounty