| CARVIEW |
Select Language
HTTP/2 200
date: Wed, 23 Jul 2025 20:45:10 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"b655a585e0cf1697bb2308288a3d8227"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=YL2QdzaHCzHcCYvUhG9otFI3hpmScV9T2ADbTL6Un%2Bz9YbJijXix7%2B1S0u78wINFTEXwxjlRBJXOboj13oIaJcYPCZ27nWykgO98jpvBNPfJxtneWn6S8pFpvjkuoVOGUecx%2B9ub2CzzpqmOCVxLVQlKRnhIgPeeH5treWvduIrZcu2xcETcGyLlOUqJSdkYEExjuG8PXiO1cuEw0h0xwdn0jsdV1BzWJ3lNuXxSwPIScfPm6O46C%2BOLNp%2BG%2BQ2pxaekDv8hlPSKsNx7VviLBw%3D%3D--F3W1tx4PJRmKxjh9--kAvTHmy6HLC2nJDw3ALGug%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.379285398.1753303510; Path=/; Domain=github.com; Expires=Thu, 23 Jul 2026 20:45:10 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Thu, 23 Jul 2026 20:45:10 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: 8F26:18BEF9:E8A49:12F94F:688149D6
Directory enumeration via ext.php · Advisory · FreshRSS/FreshRSS · GitHub
Skip to content
Navigation Menu
{{ message }}
-
-
Notifications
You must be signed in to change notification settings - Fork 977
Directory enumeration via ext.php
Low
Package
No package listed
Affected versions
<=1.26.1
Patched versions
1.26.2
Description
Severity
Low
/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVE ID
CVE-2025-31134
Weaknesses
No CWEs
Credits
-
Inverle Reporter
You can’t perform that action at this time.
Summary
An attacker can gain additional information about the server by checking if certain directories exist.
PoC
First, UserJS or UserCSS needs to be enabled and have submitted contents so that we can have an existing file to refer to.
Then navigate to an URL like
https://192.168.91.132:8080/ext.php?f=../../../../etc/apache2/../../var/www/FreshRSS/data/users/[your_username]/extensions/UserJS/script.js&t=jsto see if the/etc/apache2directory exists on the server (you have to know the full path of the FreshRSS installation directory).You can also enumerate users without knowing the installation path:
https://192.168.91.132:8080/ext.php?f=[some_user]/../[your_username]/extensions/UserJS/script.js&t=js&t=jsIf you get a "File is not supported." error, this means the directory does not exist, if you get the contents of your UserJS, this means the directory exists.
Impact
An attacker can check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack the server.