la inteligenttsia.

Technical Vulnerability Report: Multiple Critical Misconfigurations & Information Disclosure 1. Executive Summary During a security assessment of the Bolt CMS Prelive environment, several critical vulnerabilities were identified. By bypassing the WAF/Cloudflare layer and interacting directly with the origin server (52.28.81.208), I gained access to sensitive system diagnostics (phpinfo.php), internal network architecture, and absolute file system paths. Furthermore, the application is susceptible to User Enumeration, allowing an attacker to map valid corporate identities. 2. Vulnerability Details A. Critical Information Disclosure via phpinfo.php Severity: Critical (CVSS: 9.1) Description: The origin server exposes a full PHP diagnostic page. This leaks environment variables, loaded modules, and server configurations. Impact: Disclosure of internal IP addresses (+++++++++++++), AWS Trace IDs, and the absolute document root (/var/www/nexsysonev3/). B. Origin Server IP Discovery (WAF Bypass) Severity: High Description: The backend server at +++++++++++ accepts direct HTTPS connections using the Host: cms.prelive.bolt.eu header. Impact: This renders Cloudflare/WAF protections useless, as an attacker can launch payloads (SQLi, Bruteforce) directly against the origin without rate limiting or filtering. C. User Enumeration via Fingerprint API Severity: Medium/High Description: The endpoint /login/fingerprintregister returns distinct error messages (User ID or email is not found) when an invalid identity is provided. Impact: Attackers can perform automated "Credential Stuffing" or user mapping to identify valid Bolt employee accounts. D. Insecure File Extension Policy Severity: Medium Description: The global.js configuration explicitly allows the upload/handling of dangerous extensions including .sql, .db, .log, and .kml. Impact: Combined with the known path /var/www/nexsysonev3/, this increases the risk of Arbitrary File Access if backup files are stored in reachable directories. 3. Steps to Reproduce Direct Origin Access: Execute a request to the origin IP bypassing DNS: curl -k -I -H "Host: +++++++++++++++" https://+++++++++++++++/nexsysonev3/ Access Diagnostics: Navigate to https://++++++++/++++++++/phpinfo.php to view full system environment. Perform Enumeration: Send a POST request to the registration endpoint: curl -X POST -d "userid=admin&email=test@bolt.eu" https://52.28.81.208/nexsysonev3/login/fingerprintregister Observe the JSON response confirming if the user exists. 4. Impact Assessment An attacker can use the disclosed internal paths and network IPs to plan a lateral movement attack within Bolt's AWS infrastructure. The exposure of the Development environment with live backend configurations poses a significant risk of a full database breach or unauthorized administrative access. 5. Recommendations Immediate: Remove phpinfo.php and any other diagnostic scripts from the production and prelive environments. WAF Hardening: Configure the origin security groups (AWS SG) to only accept traffic from Cloudflare's IP ranges. API Security: Sanitize API responses to return generic error messages (e.g., "Invalid credentials or request") to prevent user enumeration. System Hardening: Disable directory listing and restrict access to sensitive file extensions (.sql, .log, .env) via Apache .htaccess or virtual host configuration. Would you like me to add a specific "Proof of Concept" (PoC) section with the screenshots or logs we gathered during the session?