Critical LFI Vulnerability Reported in Hashnode Blogging Platform
source link: https://thehackernews.com/2022/04/critical-lfi-vulnerability-reported-in.html?m=1
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Critical LFI Vulnerability Reported in Hashnode Blogging Platform
Researchers have disclosed a previously undocumented local file inclusion (LFI) vulnerability in Hashnode, a developer-oriented blogging platform, that could be abused to access sensitive data such as SSH keys, server's IP address, and other network information.
"The LFI originates in a Bulk Markdown Import feature that can be manipulated to provide attackers with unimpeded ability to download local files from Hashnode's server," Akamai researchers said in a report shared with The Hacker News.
Local file inclusion flaws occur when a web application is tricked into exposing or running unapproved files on a server, leading to directory traversal, information disclosure, remote code execution, and cross-site scripting (XSS) attacks.
The flaw, caused due to the web application failing to adequately sanitize the path to a file that's passed as input, could have serious repercussions in that an assailant could navigate to any path on the server and access sensitive information, including the /etc/passwd file that contains a list of users on the server.
Armed with this exploit, the researchers said they were able to identify the IP address and the private secure shell (SSH) key associated with the server.
While the vulnerability has since been addressed, the findings come as Akamai said it recorded more than five billion LFI attacks between September 1, 2021, and February 28, 2022, marking a 141% increase over the previous six months.
"LFI attacks are an attack vector that could cause major damage to an organization, as a threat actor could obtain information about the network for future reconnaissance," the researchers said.
Recommend
-
61
Most often developer needs to consume JSON data from other service and query over them. Querying JSON data is little time-consuming. For the last few days, I was working on a package for Golang to query JSON data easily. The idea and inspiration...
-
40
Recently, I've recently been trying my best to upload as much code to open source repositories like Github and Codepen. It makes bootstrapping new projects much simpler when I can git clone a boilerplate from my Github, or copypasta a CSS/JS sni...
-
37
VP of Product & DevRel at source{d}
-
11
Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams December 07, 2020
-
4
How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty, all in one working day
-
6
如何构建一个没有任何后端代码的全栈应用?- hashnode 使用 Clerk 进行身份验证、使用 Hasura 进行数据存储和访问以及使用 Next.js 构建一个待办事项应用程...
-
7
-
4
What is The Navigation Component? Android Jetpack Navigation component is a suite of libraries, tooling, and guidance that simplifies in-app navigation. It helps you as an Android developer have a higher-level view of your app and gi...
-
3
作者:墨云科技VLab Team 原文链接:https://mp.weixin.qq.com/s/2DqN3EsHqG24AjMy8scecA
-
8
MYBB论坛简介及漏洞历史MYBB论坛简介 ...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK