Directory Traversal (LFI)

Hello everyone,
I have recently reported a Directory Traversal to Yahoo! that I’d like to share with everyone. As I was roaming around the website (which redirects to I came across the following link:

Of course, the first thing I did was to just simply remove the html file out of the url and see what I get:

and sure enough I was able to see the file directory:


I also tried to read the passwd file located in etc:

and I was successful:


According to a good friend of mine, I could and should have done the following to get a Remote Command Execution:

An attacker may be able to inject the following code by sending a get request such as

<? passthru($_GET[command]) ?>

and inject that into the log file to use as a backdoor

But I didn’t think about the following, nor to record my PoC due to all the adrenaline I was feeling when I discovered this vulnerability.

Thank you for reading!

2014-02-06 Reported
2014-02-10 Status changed to triaged
2014-02-11 Fixed

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>