ExpressionEngine: Filename and directory enumeration
2016-07-05T05:37:57
ID H1:149273 Type hackerone Reporter strukt Modified 2016-08-08T02:42:35
Description
Hello,
The "Import File Converter" can be abused by an admin to map the server directories and files, because the "File location" field doesn't sanitize the user input and allows access to root directories and files.
Steps to reproduce:
1- Go to http://localhost/ee/admin.php?/cp/utilities/import_converter
2- Set the "File location" to ///etc/, notice that the error "You must have at least 3 fields: username, screen_name, and email address", proving that the file exists.
3- Try with ///strukt/, notice the different error message, now it says "The path you submitted is not valid.", meaning the directory doesn't exist.
3- Now try with ///etc/passwd, the first error message shows up.
4- Finally, try with ///etc/strukt, the second message appears.
{"id": "H1:149273", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "ExpressionEngine: Filename and directory enumeration", "description": "Hello,\n\nThe \"Import File Converter\" can be abused by an admin to map the server directories and files, because the \"File location\" field doesn't sanitize the user input and allows access to root directories and files.\n\n## Steps to reproduce:\n1- Go to http://localhost/ee/admin.php?/cp/utilities/import_converter\n2- Set the \"File location\" to `///etc/`, notice that the error \"You must have at least 3 fields: username, screen_name, and email address\", proving that the file exists.\n3- Try with `///strukt/`, notice the different error message, now it says \"The path you submitted is not valid.\", meaning the directory doesn't exist.\n3- Now try with `///etc/passwd`, the first error message shows up.\n4- Finally, try with `///etc/strukt`, the second message appears.\n\n## More successful test cases:\n`///etc/hosts`\n`///usr/`\n`///var/`\n`../../../../../../../../etc/passwd`\n\nRegards", "published": "2016-07-05T05:37:57", "modified": "2016-08-08T02:42:35", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/149273", "reporter": "strukt", "references": [], "cvelist": [], "lastseen": "2019-01-16T02:05:52", "viewCount": 3, "enchantments": {"score": {"value": 1.4, "vector": "NONE", "modified": "2019-01-16T02:05:52", "rev": 2}, "dependencies": {"references": [], "modified": "2019-01-16T02:05:52", "rev": 2}, "vulnersScore": 1.4}, "bounty": 0.0, "bountyState": "resolved", "h1team": {"handle": "expressionengine", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/265/3511cb40550aa0b48a416c065211a040641d0b4c_medium.png?1541024863", "small": "https://profile-photos.hackerone-user-content.com/000/000/265/c97786bc8e66ce1162da4dd023d0d7b86def1743_small.png?1541024863"}, "url": "https://hackerone.com/expressionengine"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/038/303/dfe1f56997df3717716a04db5051750286131352_small.jpg?1547586353"}, "url": "/strukt", "username": "strukt"}}