blob: d4068b844889e42ca67957822be3f1114bc1520b (
plain)
1
2
3
4
5
6
7
8
|
## Exploit
1. Pages being fetched with a query parameter `page` (`http://10.0.2.15/?page=somePage`) expose the server to dot-dot-slash attack.
1. We get the flag by requesting `http://10.0.2.15/?page=../../../../../../../etc/passwd`
## Fix
The problem is letting users directly input files to be included/read. Such input must be sanitized, with for example a strict list of allowed values, or rejecting input containing `../`.
|
