Skip to main content

One Cloud-based Local File Inclusion = Many Companies affected


Hi everyone, Today, I'm going to share how I found a Local File Inclusion that affected companies like Facebook, Linkedin, Dropbox and many others.




The LFI was located at the cloud system of Oracle Responsys. For those who do not know Responsys is an enterprise-scale cloud-based business to consumer (B2C). Responsys gives every Business their own "private IP" to use the system in a private way. Business are not sharing IP with other companies.)

How did I found this bug?

Well as usual I was looking for bugs and I note that Facebook was sending me developer emails from the subdomain em.facebookmail.com. For example on my inbox, I had emails from fbdev@em.facebookmail.com

This got me interested on the subdomain em.facebookmail.com and after a quick DIG I note that this subdomain was connected to "Responsys" which I had previously seen in other Pentests



Responsys is providing em.facebookmail.com with the email services as you can see above. The original link I found in my inbox was something like this:

http://em.facebookmail.com/pub/cc?_ri_=X0Gzc2X%3DWQpglLjHJlYQGkSIGbc52zaRY0i6zgzdzc6jpzcASTGzdzeRfAzbzgJyH0zfzbLVXtpKX%3DSRTRYRSY&_ei_=EolaGGF4SNMvxFF7KucKuWNhjeSKbKRsHLVV55xSq7EoplYQTaISpeSzfMJxPAX8oMMhFTpOYUvvmgn-WhyT6yBDeImov65NsCKxmYwyOL0.

I note that the parameter "_ri_=" is required in order to generate a valid request. And after a bit of testing around, I found that the system was not correctly handling double URL Encoding and using a correct value at the parameter "_ri_"  I could inject "%252fetc%252fpasswd" into the URL path.

This was not properly sanitized and was allowing directory traversal characters to be injected and with this retrieve internal files from the affected server.

An example of the Vulnerable URL:

http://em.facebookmail.com/pub/sf/%252fetc%252fpasswd?_ri_=X0Gzc2X%3DYQpglLjHJlYQGrzdLoyD13pHoGgHNjCWGRBIk4d6Uw74cgmmfaDIiK4za7bf4aUdgSVXMtX%3DYQpglLjHJlYQGnnlO8Rp71zfzabzewzgLczg7Ulwbazahw8uszbNYzeazdMjhDzcmJizdNFCXgn&_ei_=Ep0e16vSBKEscHnsTNRZT2jxEz5WyG1Wpm_OvAU-aJZRZ_wzYDw97ETX_iSmseE


Soon as I saw the vulnerability I knew that this LFI was not only affecting Facebook but also many other companies. All of them using different Private IPs provided by Responsys.

A quick Google Search show me other affected companies with this same bug.



Copying a valid value from the parameter _ri_ to the target company I could retrieve internal information using the same technique.




The impacts of exploiting a Local File Inclusion (LFI) vary from information disclosure to complete compromise of the systems. In this case the impact it worst because one vulnerability affected multiple companies data.

I report this bug to Oracle and the bug got fixed within a week.



Popular posts from this blog

Dangerous Persistent XSS at Here.com [FIX]

 Here.com, is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.  HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood. With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS. I report a similar bug to Waza.com a few months ago .  Nokia Reponse:   Thanks to Nokia for starting this bug bounty program .

Store XSS on Main page of Flickr.com and Mobile Inteface

Flickr is an image hosting and video hosting website, and web services suite that was created by Ludicorp in 2004 and acquired by Yahoo in 2005.  Flickr had a total of 87 million registered members and more than 3.5 million new images uploaded daily. In August 2011 the site reported that it was hosting more than 6 billion images and this number continues to grow steadily according to reporting sources. I start doing my security research on flickr.com and I found some cool bugs but this XSS was my favorite because the XSS was showing on Flickr main page and on the Mobile interface at m. flickr.com.   Affecting millions of users for sure..   This attack works by inviting the Victim to a group. The XSS  loads when the victim get notify about a group invitation. Making this XSS very dangerous and perfect to target specific people or people in general. I report this two bugs to Yahoo Security team and I got two nice reward. Thanks Yahoo security Te...