OLX: blog.praca.olx.pl database credentials exposure

2018-11-23T03:05:53
ID H1:448985
Type hackerone
Reporter hdbreaker
Modified 2018-12-26T12:46:58

Description

Hi, I found that the site blog.praca.olx.pl is exposing the content of wp-config.php file in plaintext due that a misconfiguration in the file-manager plugin.

The information can be accessed here: http://blog.praca.olx.pl/wp-content/uploads/file-manager/log.txt

The credentials are stored in the log.txt file as can be seen in the following image: {F379634}

An attacker could use this information for further attacks.

Regards,

Impact

An attacker could use this information for further attacks if the database access is achieved all the information of the blog will be in risk and could be used to achieved remote code execution via file upload in the admin panel.