Critical LFI Vulnerability Reported in Hashnode Blogging Platform

News

Researchers have disclosed a previously undocumented local file inclusion (LFI) vulnerability in Hashnode, a developer-oriented blogging platform, that could be abused to access sensitive data such as SSH keys, server’s IP address, and other network information.

“The LFI originates in a Bulk Markdown Import feature that can be manipulated to provide attackers with unimpeded ability to download local files from Hashnode’s server,” Akamai researchers said in a report shared with The Hacker News.

CyberSecurity

Local file inclusion flaws occur when a web application is tricked into exposing or running unapproved files on a server, leading to directory traversal, information disclosure, remote code execution, and cross-site scripting (XSS) attacks.

Hashnode Blogging Platform

The flaw, caused due to the web application failing to adequately sanitize the path to a file that’s passed as input, could have serious repercussions in that an assailant could navigate to any path on the server and access sensitive information, including the /etc/passwd file that contains a list of users on the server.

Armed with this exploit, the researchers said they were able to identify the IP address and the private secure shell (SSH) key associated with the server.

CyberSecurity

While the vulnerability has since been addressed, the findings come as Akamai said it recorded more than five billion LFI attacks between September 1, 2021, and February 28, 2022, marking a 141% increase over the previous six months.

“LFI attacks are an attack vector that could cause major damage to an organization, as a threat actor could obtain information about the network for future reconnaissance,” the researchers said.

Products You May Like

Articles You May Like

Meta Teams Up with Banks to Target Fraudsters
INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa
Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials
Cybersecurity Awareness Month needs a radical overhaul – it needs legislation
Andariel Hacking Group Shifts Focus to Financial Attacks on U.S. Organizations

Leave a Reply

Your email address will not be published. Required fields are marked *