The Notes service functions as a platform for storing private notes. It offers various features such as registration, authentication, note addition, and site translation incorporation.
There is a vulnerability within the language change feature, allowing the injection of arbitrary content to be parsed via php wrappers through parse_ini_file()
. Exploiting this vulnerability enables the retrieval of arbitary environment variables, revealing the secret key used to sign data in a user's JWT token. With this secret key, unauthorized access to the system as any user becomes possible.
To exploit this vulnerability, follow these steps:
- Generate a payload (HOME=${SECRET};) using php_filter_chain_generator.
- Insert the payload into
cookies['language']
. - Visit the site to obtain the environment variable
$SECRET
. - Generate a JWT token with payload
{'user_id': user_id}
. - Access the
/notes
page with the generated JWT token to retrieve the flag.