CVE-2025-28367 Overview
CVE-2025-28367 is a directory traversal vulnerability affecting mojoPortal content management system versions <=2.9.0.1. The flaw resides in the BetterImageGallery API Controller, specifically within the ImageHandler action. Attackers can traverse the file system by manipulating path parameters passed to the image handler endpoint. Successful exploitation allows unauthenticated retrieval of the Web.Config file, which exposes the ASP.NET MachineKey. Disclosure of the MachineKey enables downstream attacks including ViewState forgery and potential remote code execution. The vulnerability is tracked under [CWE-284: Improper Access Control].
Critical Impact
Unauthenticated attackers can retrieve Web.Config and extract the ASP.NET MachineKey, enabling ViewState deserialization attacks against the host application.
Affected Products
- mojoPortal versions <=2.9.0.1
- BetterImageGallery API Controller component
- ASP.NET applications relying on the exposed MachineKey
Discovery Timeline
- 2025-04-21 - CVE-2025-28367 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-28367
Vulnerability Analysis
The vulnerability exists in the BetterImageGallery API Controller's ImageHandler action within mojoPortal <=2.9.0.1. The handler accepts a file path parameter without properly validating or canonicalizing the input against a restricted directory. Attackers supply directory traversal sequences such as ../ to escape the intended image directory. This allows the handler to serve arbitrary files residing on the web server file system.
The most impactful target is Web.Config, the root ASP.NET configuration file. This file contains the <machineKey> element, which stores the validation and decryption keys used to sign and encrypt ViewState, forms authentication tickets, and session identifiers. Exposure of the MachineKey breaks the integrity guarantees of the entire ASP.NET application.
Root Cause
The root cause is improper access control [CWE-284] combined with missing path canonicalization. The ImageHandler action does not enforce that resolved file paths remain within the designated image gallery directory. No allowlist of file extensions or directory boundaries is applied before the file is read and returned in the HTTP response.
Attack Vector
Exploitation occurs remotely over the network without authentication. An attacker sends a crafted HTTP request to the BetterImageGallery endpoint with a path parameter containing traversal sequences pointing to Web.Config. The server returns the file contents in the response body. The attacker parses the returned XML and extracts the validationKey and decryptionKey values. These keys can then be used with tools such as ysoserial.net to forge signed ViewState payloads and achieve code execution on the server.
No verified proof-of-concept code has been published. Refer to the 0xLanks CVE-2025-28367 Advisory for exploitation details.
Detection Methods for CVE-2025-28367
Indicators of Compromise
- HTTP requests to BetterImageGallery endpoints containing ../ or URL-encoded traversal sequences such as %2e%2e%2f
- Web server access logs showing successful 200 responses for image handler requests referencing Web.Config or files outside the gallery directory
- Unexpected outbound requests or ViewState-based POSTs following suspicious inbound image handler activity
Detection Strategies
- Inspect IIS or reverse proxy logs for requests to ImageHandler action paths containing directory traversal patterns
- Deploy web application firewall rules that block traversal sequences in query strings targeting mojoPortal endpoints
- Alert on any HTTP response served by BetterImageGallery that returns content types inconsistent with image data
Monitoring Recommendations
- Monitor Web.Config file read events on the mojoPortal web server host
- Correlate anomalous image handler traffic with subsequent ViewState __VIEWSTATE POSTs that fail signature validation or trigger deserialization
- Track EPSS trends for CVE-2025-28367, currently 2.148% with percentile 79.987, to prioritize response
How to Mitigate CVE-2025-28367
Immediate Actions Required
- Restrict network access to mojoPortal administrative and gallery endpoints where feasible
- Rotate the ASP.NET MachineKey values if exposure is suspected, then re-encrypt sensitive configuration sections
- Review web server logs for historical exploitation attempts against BetterImageGalleryImageHandler requests
Patch Information
No vendor-confirmed patched version is referenced in the advisory data. Consult the GitHub MojoPortal Repository for the latest releases and the 0xLanks CVE-2025-28367 Advisory for remediation guidance. Upgrade to a release later than 2.9.0.1 once a fixed version is published by the vendor.
Workarounds
- Disable or remove the BetterImageGallery feature until a fixed version is available
- Deploy WAF rules that block traversal patterns such as ../, ..\, and their URL-encoded equivalents on gallery endpoints
- Use aspnet_regiis -pe to encrypt the <machineKey> and <connectionStrings> sections of Web.Config to reduce impact of file disclosure
# Encrypt sensitive Web.Config sections to reduce disclosure impact
aspnet_regiis -pef "system.web/machineKey" "C:\inetpub\wwwroot\mojoportal"
aspnet_regiis -pef "connectionStrings" "C:\inetpub\wwwroot\mojoportal"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

