Triaging an LFI Vulnerability Report

The report landed in my queue late in the evening, and at first glance, it seemed like a straightforward Local File Inclusion (LFI) vulnerability. The hunter claimed they had managed to access sensitive files on the target server by exploiting a directory traversal flaw in the page parameter. Intrigued, I decided to dig deeper.

The Alleged Vulnerability

The hunter’s report began innocuously, describing the behavior of the vulnerable endpoint:

www.target.com/rd?page=/change/lmtstats.html

When accessed, it returned a valid HTML file. They suspected that manipulating the page parameter with directory traversal sequences (../) could grant access to unauthorized files on the server.

To illustrate, they provided an example:

www.target.com/rd?page=../../../etc/passwd

According to the hunter, this revealed the contents of /etc/passwd, a file critical to the system's security. The hunter also shared their suspicion that the endpoint could be further abused, potentially escalating to Remote Code Execution (RCE).