Security Research Work for Directi Part1
11 Oct 2016This post is regarding critical vulnerability i found on directi’s codechef.com.Was Awarded a bug finder t-shirt and a 1000 laddus as a part of rewarding system.
Proof of Concept
I started digging using burpsuite for session mishandling and idor but found nothing.
On going deeper using a Google Dork (Advanced Search Technique on Google) site:www.codechef.com inurl:”php”
Executing the dork above on Google gives me these results:

So, I got 3 results with same URL Scheme
www.codechef.com/download.php?file=[vulnerable]
I figured out that the “file” parameter is the File Name which got downloaded automatically. So, It quickly reminds me that this kind of URL Scheme is possibly vulnerable to Directory Traversal.

After browsing the URL above, something popped out and asked me to download a file and here’s the content of the file I have downloaded.

I also viewed etc/profile ,etc/services,server configuration file,php configuration file and many others files like backup files which contain sensitive data.
