Skip to content
This repository has been archived by the owner on Sep 10, 2024. It is now read-only.

Local File Inclusion (LFI) vulnerability #463

Closed
jimanx2 opened this issue Jan 20, 2021 · 2 comments
Closed

Local File Inclusion (LFI) vulnerability #463

jimanx2 opened this issue Jan 20, 2021 · 2 comments

Comments

@jimanx2
Copy link

jimanx2 commented Jan 20, 2021
edited
Loading

Make sure you read Issues Guideline and answer these questions before submitting your issue. Thanks!
(Any non-English issues will be closed immediately.)

  1. Please provide your PHP and Swoole version. (php -v and php --ri swoole)
PHP 7.3.18 (cli) (built: May 15 2020 04:09:37) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.18, Copyright (c) 1998-2018 Zend Technologies

swoole

Swoole => enabled
Author => Swoole Team <team@swoole.com>
Version => 4.5.2
Built => Jul  9 2020 16:08:59
coroutine => enabled
epoll => enabled
eventfd => enabled
signalfd => enabled
spinlock => enabled
rwlock => enabled
openssl => OpenSSL 1.1.1g  21 Apr 2020
http2 => enabled
zlib => 1.2.11
brotli => E16777223/D16777223
mutex_timedlock => enabled
pthread_barrier => enabled
mysqlnd => enabled
async_redis => enabled
  1. Please provide your Laravel/Lumen version.
name     : laravel/lumen-framework
descrip. : The Laravel Lumen Framework.
keywords : framework, laravel, lumen
versions : * v5.8.13
  1. Which release version of this package are you using?
name     : swooletw/laravel-swoole
descrip. : High performance HTTP server based on Swoole. Speed up your Laravel and Lumen applications.
keywords : http, laravel, lumen, performance, server, swoole
versions : * v2.6.68
  1. What did you do? If possible, provide a recipe for reproducing the error.

curl -v --path-as-is http://localhost:1215/../../../../../../../../../../../etc/passwd

  1. What did you expect to see?

404 Not Found

  1. What did you see instead?
*   Trying 127.0.0.1:1215...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1215 (#0)
> GET /../../../../../../../../../../../etc/passwd HTTP/1.1
> Host: localhost:1215
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/octet-stream
< Server: swoole-http-server
< Connection: keep-alive
< Date: Wed, 20 Jan 2021 04:11:28 GMT
< Content-Length: 1395
<
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
[REMAINING REDACTED]
* Connection #0 to host localhost left intact

Kindly advise what can I do to block this.
@jimanx2 jimanx2 changed the title RFI vulnerability Local File Inclusion (LFI) vulnerability Jan 20, 2021
@Arkanius
Copy link
Contributor

It's already fixed at #462

We're going to release the fix this week

@jimanx2
Copy link
Author

jimanx2 commented Jan 21, 2021

Great work guys. I loved swoole so much! :D

@jimanx2 jimanx2 closed this as completed Jan 21, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jimanx2 @Arkanius