Researchers have revealed a previously undocumented Local File Inclusion (LFI) vulnerability in Hashnode, a blogging platform for developers, that could be misused to access sensitive data such as SSH keys, server IP address and other network information.
“LFI originates from a bulk import feature that can be manipulated to provide attackers with the ability to unhinderedly download local files from Hashnode’s server,” Akamai researchers said in a shared report. with The Hacker News.
Local file inclusion flaws occur when a web application is tricked into exposing or executing untrusted files on a server, resulting in directory traversal, information disclosure, code execution distance and cross-site scripting (XSS) attacks.
The flaw, caused by the web application not properly sanitizing the path to a file passed as input, could have serious repercussions as an attacker could navigate to any path on the server and access sensitive information, including the /etc/passwd file which contains a list of users on the server.
Armed with this exploit, researchers said they were able to identify the IP address and secure private shell (SSH) key associated with the server.
Although the vulnerability has since been patched, the findings come as Akamai said it recorded more than five billion LFI attacks between September 1, 2021 and February 28, 2022, marking a 141% increase over six months. previous ones.
“LFI attacks are an attack vector that could cause significant damage to an organization because a threat actor could obtain network information for future reconnaissance,” the researchers said.