Critical LFI vulnerability reported in Hashnode blogging platform
Researchers revealed a previously undocumented local file inclusion (ILF) vulnerability in Hashnoda blogging platform aimed at developers, which could be misused to gain access to sensitive data such as SSH keys, server IP address and other network information.
“The LFI has its origins in a Markdown Bulk Import Feature which can be manipulated to provide attackers with the ability to unhindered local file downloads from Hashnode’s server,” Akamai researchers said in a statement. report shared with The Hacker News.
Local file inclusion flaws occur when a web application is tricked into exposing or executing untrusted files on a server, resulting in directory traversal, information disclosure, code execution distance and cross-site scripting (XSS) attacks.
The flaw, caused by the web application not properly sanitizing the path to a file passed as input, could have serious repercussions as an attacker could navigate to any path on the server and access sensitive information, including the /etc/passwd file which contains a list of users on the server.
Armed with this exploit, researchers said they were able to identify the IP address and the private secure shell (SSH) key associated with the server.
Although the vulnerability has since been patched, the findings come as Akamai said it recorded more than five billion LFI attacks between September 1, 2021 and February 28, 2022, marking a 141% increase from the previous previous six months.
“LFI attacks are an attack vector that could cause significant damage to an organization because a threat actor could obtain network information for future reconnaissance,” the researchers said.