Localize: Full Path Disclosure (FPD) in www.localize.im

2014-04-23T01:46:29
ID H1:9256
Type hackerone
Reporter faisalahmed
Modified 2014-04-23T04:56:23

Description

Hi, I found an information disclosure vulnerability/Full Path Disclosure on your application.

Proof of Concept

GET : https://www.localize.im/projects/[projiect ID/languages/[Language ID] POST CONTENT: CSRFToken=TOKEN&updatePhrases[previous][yxr][0]=&updatePhrases[edits][yxr][0]=&updatePhrases[previous][yxq][0]=&####LotsOfPhrases######&updatePhrases[secret]=[SecredCodes]&updatePhrases[translatorID]=[ID]

Just Add "[]" after any of those updatePhrases[previous][ID][0]

The information from page:

> Warning: trim() expects parameter 1 to be string, array given in /srv/data/web/vhosts/www.localize.im/htdocs/index.php on line 191

I Also Added a Screenshot of that FPD as attachment.. Hope You'll fix this one.. Thanks