Friday, 18 March 2016

Ebay INC (Magento) Web Security Bug Bounty: Directory Traversal / Local File Inclusion In

Little Insight: was vulnerable to a directory traversal / local file inclusion vulnerability. As a result, it was possible for an attacker to load web server-readable files from the local filesystem.


well this #LFI very interesting for me because when i am start my work i don't know its a java base application when i am go deep and deeper than i found its a java based application so this one very hard to find for me because  i am try to find as always etc/passwd 


Report Date :  27th may 2014 

Reward For  Directory Traversal Vulnerability  : 2500$


How This Work

when i was testing it was found url in sub-domain

after seen this url just try my luck for finding LFI so remove  de_DE-1988229788/4394/a32f094df7825f58c6a417309475c6c954804a27.10/1.0 and use url as
 but when i am use this its show you can't access this page

this time my mind sure its have insecure forward rule then now i am try for LFI still i am not know its java based application.

 ... now work begin....

My Finding....

In the above summary just got a click on my mind now i try to find etc/passwd using ../or ..//..// and many more try but not success 

between this i m find one more url that file contain some data

File contents found:
<web-app xmlns=""


here now i got my answer its a java application but i am a little surprise java application with insecure forward rule

than i start my work on google is it possible LFI in java application in a few hours i got something like


Web Application Directory Structure

now i try to find web.xml because  its an config file as on web apps on Apache php and other ../etc/pwd but here is java so its have web.xml file

so now url with ../web-inf/web.xml
after a few try i got this

and now i can access every file from dir on this server 


More about

The vulnerability mentioned here has been confirmed fixed by EBay Inc Team.

you can also meet me on