Directory Traversal (LFI)

Hello everyone,
I have recently reported a Directory Traversal to Yahoo! that I’d like to share with everyone. As I was roaming around the website (which redirects to I came across the following link:

Of course, the first thing I did was to just simply remove the html file out of the url and see what I get:

and sure enough I was able to see the file directory:


I also tried to read the passwd file located in etc:

and I was successful:


According to a good friend of mine, I could and should have done the following to get a Remote Command Execution:

An attacker may be able to inject the following code by sending a get request such as

<? passthru($_GET[command]) ?>

and inject that into the log file to use as a backdoor

But I didn’t think about the following, nor to record my PoC due to all the adrenaline I was feeling when I discovered this vulnerability.

Thank you for reading!

2014-02-06 Reported
2014-02-10 Status changed to triaged
2014-02-11 Fixed

One thought on “ Directory Traversal (LFI)

  1. Pingback: Crack

Leave a Reply