U.S. Dept Of Defense: Arbitary file download vulnerability on a DoD website

2017-05-22T15:59:15
ID H1:230714
Type hackerone
Reporter alyssa_herrera
Modified 2017-07-05T17:10:51

Description

A DoD website was misconfigured in a manner that could have allowed an attacker to collect sensitive information about the web application and system. @psychomantis was able to demonstrate this vulnerability by crafting a specially formatted URL. Thank you for notifying us of this vulnerability!

This website used DotNetNuke EventsCalendar which is prone to an arbitrary-file-download vulnerability. An example of what this looks like is this, website.com/desktopmodules/eventscalendar/downloaddoc.aspx We can exploit this by appending ?f=~/downloaddoc.aspx so it'd look like this, website.com/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/downloaddoc.aspx