FirstBlood-#322File Enumeration inside /api/checkproof.php?proof=file:///etc/passwd
This issue was discovered on FirstBlood v2

On 2021-10-25, neolex Level 2 reported:


The following endpoint : GET /api/checkproof.php?proof=file:///etc/passwd is vulnerable. An attacker can enumerate every file inside the server with the proof parameter

If the attacker use an existing file uri the response will be "true" and if the file doesn't exist the reponse will be false

Step to reproduce

  • Open the following url :

    and you will get true because /etc/passwd is an existent file.

  • Open the following url :

    and the response will be false because the file /etc/noexists doesn't exist.


It is possible for an attacker to enumerate file inside the webserver

P4 Low

Endpoint: /api/

Parameter: proof

Payload: file:///etc/passwd

FirstBlood ID: 42
Vulnerability Type: Information leak/disclosure

The endpoint /api/checkproof.php can be used to check if an arbitrary file path exists on the server. There is no real impact from this and it's not something we intentionally added as an issue so this won't count towards a unique finding.