Path Traversal in CentralSquare's CryWolf
A path traversal vulnerability in the CryWolf (False Alarm Management) application allows unauthenticated attackers to read files outside of the working web directory leading to the disclosure of sensitive information.
By sending a traversal payload to the endpoint GeneralDocs.aspx in the rpt parameter, it is then possible to access the full contents of the file by visiting gdoc1.ashx.
Repro:
- Step 1: Visit
GeneralDocs.aspx?rpt=../web.configin a browser with an intercepting proxy configured. - Step 2: From the intercepting proxy, locate the GET request to
gdoc1.ashx, this will contain the contents ofweb.config.
References: