Impact
Functionality exists within the admin suite of tools to back up a website, it is subsequently possible to then download the backup file for storage.
However, it's possible to provide a relative path of a known file on the file system and download that file instead. This means that should read permission be available to the webserver, any file on the system could be viewed.
During testing, and using full relative paths, it was possible to even view files outside of the webroot. But within the webroot, user configuration files and the password hash could be read, for instance.
NOTE: This vulnerability is only possible to exploit by admin user accounts with super or maintenance roles.
References
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
For more information
Please contact contact@pentest.co.uk
ShrubberyRubbery Analyst
Impact
Functionality exists within the admin suite of tools to back up a website, it is subsequently possible to then download the backup file for storage.
However, it's possible to provide a relative path of a known file on the file system and download that file instead. This means that should read permission be available to the webserver, any file on the system could be viewed.
During testing, and using full relative paths, it was possible to even view files outside of the webroot. But within the webroot, user configuration files and the password hash could be read, for instance.
References
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
For more information
Please contact contact@pentest.co.uk