Hashnode, a developer-oriented blogging platform, has a previously undocumented local file inclusion (LFI) vulnerability that can be exploited to access sensitive data such as SSH keys, the server's IP address, and other network information.
In a report shared with CyberNari, Akamai researchers say the LFI is the result of a Bulk Markdown Import feature that can be manipulated to allow attackers to download local files from Hashnode's server.
When a web application is tricked into exposing or running unapproved files on a server, this results in directory traversal, information disclosure, remote code execution, and cross-site scripting (XSS) attacks.
One consequence of the flaw is that an attacker could access sensitive information, such as a list of the server's users, by simply navigating to any of the servers' directories and entering the file's path as input. The web application responsible for this flaw failed to adequately sanitize the file's /etc/passwd path.
The researchers were able to identify the server's IP address and private SSH key using this exploit, according to their findings.
Findings were made as Akamai reported that it recorded more than five billion LFI attacks between September 1, 2021, and February 28 of this year — a 141% increase over the six months prior.
In order to conduct further reconnaissance, a threat actor could use the network information obtained through LFI attacks, according to the researchers.
Post a Comment
Your suggestions and comments are welcome