Summary
Vulnerability Details
- LFI (Local File Inclusion)
-
The vulnerable script was located here :
http://www.bitdefender.com/downloadFile.php?language=in&fileName=pok.txt&filePath=../../../../../../etc/passwd
Usually this script was used to download files from the web server but due an improper validation, filePath parameter allowed an attacker to download and read any file from the target server.
- OAuth Bug
-
This vulnerabiliy was caused by an unvalidated url redirect and allowed me to steal users access token.
- XSS (Cross-Site-Scripting)
-
And a xss vulnerability in one of Bitdefender subdomains.
Thanks,
@dekeeu