Friday, 18 March 2016

Ebay INC (Magento) Web Security Bug Bounty: Directory Traversal / Local File Inclusion In magento.com

 , , , , , , ,      5 comments   

Little Insight:

 

https://wiki.magento.com was vulnerable to a directory traversal / local file inclusion vulnerability. As a result, it was possible for an attacker to load web server-readable files from the local filesystem.

 

well this #LFI very interesting for me because when i am start my work i don't know its a java base application when i am go deep and deeper than i found its a java based application so this one very hard to find for me because  i am try to find as always etc/passwd 

 

Report Date :  27th may 2014 

Reward For  Directory Traversal Vulnerability  : 2500$

 

How This Work


when i was testing it was found url in sub-domain

https://wiki.magento.com/s/de_DE-1988229788/4394/a32f094df7825f58c6a417309475c6c954804a27.10/1.0

after seen this url just try my luck for finding LFI so remove  de_DE-1988229788/4394/a32f094df7825f58c6a417309475c6c954804a27.10/1.0 and use url as https://wiki.magento.com/s/
 but when i am use this its show you can't access this page


this time my mind sure its have insecure forward rule then now i am try for LFI still i am not know its java based application.

 ... now work begin....


My Finding....

In the above summary just got a click on my mind now i try to find etc/passwd using ../or ..//..// and many more try but not success 

between this i m find one more url that file contain some data


File contents found:
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
         version="2.4">

 


here now i got my answer its a java application but i am a little surprise java application with insecure forward rule

than i start my work on google is it possible LFI in java application in a few hours i got something like

 

Web Application Directory Structure 

myWebApp/
  WEB-INF/
    web.xml
    weblogic.xml
    lib/
      MyLib.jar
    classes/
      MyPackage/
        MyServlet.class
  index.html
  index.jsp
 
 
 
now i try to find web.xml because  its an config file as on web apps on Apache php and other ../etc/pwd but here is java so its have web.xml file

so now url with ../web-inf/web.xml
after a few try i got this

https://wiki.magento.com/s/de_DE-1988229788/4394/a32f094df7825f58c6a417309475c6c954804a27.10/1.0/../../WEB-INF/web.xml

and now i can access every file from dir on this server 

 

More about


The vulnerability mentioned here has been confirmed fixed by EBay Inc Team.

you can also meet me on 


FACEBOOK

TWITTER