Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneSp1d3rsH1:684836
HistoryAug 30, 2019 - 4:27 a.m.

U.S. Dept Of Defense: Local File Disclosure on the █████ (https://████████.edu/) leads to the full source code disclosure and credentials leak

2019-08-3004:27:15
sp1d3rs
hackerone.com
4

AI Score

7.4

Confidence

Low

JSON

##Description
During poking around ██████.00/24 range - ██████████ looking for the Cisco devices, I came across ███ which resolved to the https://███████.edu/
While it’s a not .mil host, it’s likely related to the DoD since it hosted in the DoD-controlled ASN.

I discovered few critical vulnerabilities here, one of them is LFD (local file disclosure).

##POC
https://██████.edu/file.ashx?path=web.config
will download the website configuration file.
It exposes the DB credentials:
███

Similarly, attacker able to get content of any server-side resource, such as source code of application:
https://███.edu/file.ashx?path=UserAccountJSON.aspx.cs

Impact

Source code & DB credentials leakage. Attacker can use it to compromise the resource.

AI Score

7.4

Confidence

Low

JSON