The Notes service functions as a platform for storing private notes. It offers various features such as registration, authentication, note addition, and site translation incorporation.
There is a vulnerability within the language change feature, allowing the injection of arbitrary content to be parsed via php wrappers through parse_ini_file(). Exploiting this vulnerability enables the retrieval of arbitary environment variables, revealing the secret key used to sign data in a user's JWT token. With this secret key, unauthorized access to the system as any user becomes possible.
To exploit this vulnerability, follow these steps:
- Generate a payload (HOME=${SECRET};) using php_filter_chain_generator.
- Insert the payload into
cookies['language']. - Visit the site to obtain the environment variable
$SECRET. - Generate a JWT token with payload
{'user_id': user_id}. - Access the
/notespage with the generated JWT token to retrieve the flag.