[Bug 258695] Local file inclusion bug

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 23 Sep 2021 16:30:03 UTC

            Bug ID: 258695
           Summary: Local file inclusion bug
           Product: Documentation
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Website
          Assignee: doc@FreeBSD.org
          Reporter: hackerookie@wearehackerone.com

Created attachment 228137
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228137&action=edit
file - /etc/passwd

Hello team!

I have found a local file inclusion bug on your website. with which I'm able to
get the passwd and pwd.db file.

## Steps to reproduce

1. Visit https://ftp2.ru.freebsd.org/etc/
2. Now you have options to download passwd and pwd.db file.

# Impact

The server have the vulnerability of Local file inclusion

## Mitigation

- Login to the web server.
- Locate the Nginx configuration template (see "Locating the Nginx
configuration file")
- Add the deny directive (see "The Deny Directive") to the server block of your
site's configuration
- Save your changes and restart Nginx

You are receiving this mail because:
You are the assignee for the bug.