Monday, 20 October 2014

Facebook Web Security Bug Bounty: Directory Traversal Vulnerability / RCE In  directory traversal vulnerability

Little Insight:  was vulnerable to a directory traversal / RCE vulnerability. As a result, it was possible for an attacker to load web server-readable files from the local filesystem. or Run commend on That

Well this is my 4th reward form facebook  Directory Traversal or RCE Vulnerability 

That  give me 5th position in Facebook white-hat Page

Report Date :23  July 2014

Reward For Directory Traversal or RCE Vulnerability :  20000$

How This work......?

As we discussed earlier on my old post Flowdock Directory Traversal Vulnerability exposed files outside of Rails’ view paths. '%5C' turns into '\' after decoding. Using Rack::Protection   it only rejects '/../' segments in the request path.  

patch apply for Rack::Protection acording CVE-2014-0130  and  also Reject now '%5C' turns into '\' after decoding

now my work ....

My Finding....

In the above summary ( CVE-2014-0130 )  it  rejects '/../' segments in the request path and path is also sanitized to filter out malicious characters like "..%5c", 

now m try to bypass filter  with " \../ or \..%2f "  segments in the request path  more details i am disclose in next post ruby on rails  Rack::Protection bypass effected on old version

patch version you can use 4.1.1, 4.0.5, 3.2.18

Now coming back to  Facebook Acquisitions 

here is the proof of concept that I included with bug LFI/RCE. It displayed the contents of the /etc/passwd Or /Gemfile of the server 

More Then 5 pages Vulnerable on with same vector 

one of them

Poc Url :\..%2f\..%2f\..%2fGemfile

 After some time

i am  found  how to convert ruby on rails LfI in remote code execution or Shell

Thanks to Jeff Jarmoc for great Article on remote code execution or Shell That make  possible  to make Rce on

POC URL :\..%2f\..%2f\..%2fproduction .log?codetoexec=?

More about :

The vulnerability mentioned here has been confirmed & fixed by Facebook Team.

I’would like to thank Jeff Jarmoc for such a great article and Neal for handling this issue and  the vulnerability was patched and the fix was deployed in production within 2 hour  after my initial report.

Well this is my 4th reward form facebook  Directory Traversal or RCE Vulnerability 

That give me 5th position in Facebook white-hat

you can also meet me   






  1. Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  2. Thanks for spending all your pleasant time to make such a Creative content for us. AWS Training in Chennai