Directory Listing and LFI at www.kakao.com


Summary

On October 7, 2021, I discovered a vulnerability called LFI via File Download in www.kakao.com. This is a very critical vulnerability that can use this vulnerability to identify the directory structure using the Directory Listing vulnerability and click all files including system main files, server configuration files, and source codes.


Platform(s) Affected

1
https://www.kakao.com/download/url

The attack vector existed in the URL above


How to find and exploit

Not authorized


Proof of Concept

Not authorized