Hashnode, a developer-oriented blogging platform, has a previously undiscovered local file inclusion (LFI) vulnerability that might be exploited to gain access to sensitive data such as SSH keys, the server’s IP address, and other network information.
The LFI is based on a Bulk Markdown Import feature that can be abused to provide attackers unrestricted access to Hashnode’s server, according to Akamai researchers in a report shared with The Hacker News.
When a web application is deceived into exposing or running unauthorised files on a server, directory traversal, information disclosure, remote code execution, and cross-site scripting (XSS) assaults can occur.
Because the web application failed to properly sanitise the path to a file that was passed as input, the flaw could have serious ramifications in that an attacker could navigate to any path on the server and access sensitive information, including the /etc/passwd file, which contains a list of users on the server.
The researchers claimed that they were able to determine the server’s IP address and private secure shell (SSH) key using this vulnerability.
While the vulnerability has since been fixed, the findings come as Akamai reported that between September 1, 2021, and February 28, 2022, it recorded more than five billion LFI attacks, a 141 percent increase over the previous six months.
“A threat actor could get knowledge about the network for future surveillance,” the researchers wrote. “LFI attacks are an attack vector that could cause considerable damage to an organisation.”