CVE-2024-22723 | Webtrees Vulnerability: Uncovering Sensitive Data Through Path Traversal
Webtrees is a free open source web-based genealogy application intended for collaborative use.
As an administrator logged into the application, I had access to the “Manage Media” section. However, I noticed that it was not possible to directly edit the ‘media/’ directory within the application interface.
Upon examining the application’s URL structure, I encountered the “media_folder” parameter, which is linked to the media folder. To probe further, I inserted ‘..’ after the ‘%2F’ in the URL, which represents a forward slash (‘/’) in URL encoding. By doing this, I successfully navigated back one directory level in the application’s file system.
This maneuver allowed me to access several sensitive files within the application. Most notably, I could open the ‘config.ini.php’ file. This file contained critical information about the application’s database, including the database username (‘dbuser=’) and password (‘dbpass=’), which were plainly listed.
