Sunday, 21 September 2014

Nokia Web Security Bug Reward: Directory Traversal / Local File inclusion Vulnerability




Little Insight: 

 

Well this is my first Directory Traversal Vulnerability / Local File inclusion Vulnerability

 

which I spotted in  http://conversations.nokia.com  

 

Report Date :  5th march 2014 

 

Reward For  Directory Traversal Vulnerability  : Nokia  Lumia 925 Phone

 

How This Work


when i was testing it was found url a link on  subdomain 


with post request 

action=get_ajax_post_template&page=2&param=4614&postPerPage=12&template=

when i am use any word template=Jeet thats show 200  responce with result as 0






Template parameter show its access another url form site


 ... now work begin....


My Finding....




with post request 

action=get_ajax_post_template&page=2&param=4614&postPerPage=12&template=

Template parameter show its access another url That's gave me a hint may be there is an LFI

Then i am  Googled for a cheat sheet For Directory Traversal

In a few minutes complete Task and found Traversal parameter....as


../.../.././../.../.././../.../.././../.../.././../.../.././../.../.././etc/passwd

 

 

 Normal Request..

 

 

 

 

 

 After Payload...

 

 

 

 

More Information

 

The vulnerability mentioned here has been confirmed patched by the Nokia Security Team.

 

 


1 comment:

  1. Great Article
    Cyber Security Projects

    projects for cse

    Networking Projects

    JavaScript Training in Chennai

    JavaScript Training in Chennai

    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

    ReplyDelete