LFI Vulnerability Webport CMS version 1.19.10.17121
Expected behaviour:
This script is possibly vulnerable to directory traversal attacks. LFI is a vulnerability which allows attackers to access restricted directories and read files outside of the web server's root directory. The vulnerability affects http://localhost/file/download via value file.
Impact:
Local File Inclusion (LFI) vulnerability vary from information disclosure to complete compromise of the system. Even in cases where the included code is not executed, it can still give an attacker enough valuable information to be able to compromise the system.
Steps to reproduce:
- Go to login admin
- Inject payload via /file/download?file=
- For example: ../../Users/Default/NTUSER.DAT
POC:

