New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

LFI on OpenClinic Admin #8

Closed

u0pattern opened this issue Sep 15, 2019 · 0 comments

Assignees

Labels

bug

u0pattern commented Sep 15, 2019

PoC : http://localhost/openClinic/shared/view_source.php?file=../config/database_constants.php
Impact : Anyone login to the the admin account can read files from server like config and maybe can get RCE.
Fix : remove the view_source.php or you can blacklist the dot and slashes .

Hitman ALHarbi | Blackfoxs Team .

jact added invalid bug and removed invalid labels

jact self-assigned this

jact closed this as completed in

7821ba2

# for free to join this conversation on GitHub. Already have an account? # to comment