Before starting to describe the issue found on WhatsApp I want to introduce the LFD Vulnerability.
The Local File Disclosure vulnerability allows an attacker to read the content of files and get important information like ftp, mysql credentials, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:
- Code execution on the underlying operating system ( in case web application has root privileges and can read the content of the /etc/shadow file and in case the attacker is able to crack /etc/shadow hashed passwords.)
- Sensitive Information Disclosure
The vulnerable link that allows me to download the /etc/passwd file is :
and this is the content of the /etc/passwd file
The bug has now been fixed.