Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-28367

CVE-2025-28367: Mojoportal Path Traversal Vulnerability

CVE-2025-28367 is a path traversal vulnerability in Mojoportal that allows attackers to access sensitive files like Web.Config and obtain the MachineKey. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-28367 Overview

CVE-2025-28367 is a directory traversal vulnerability affecting mojoPortal content management system versions <=2.9.0.1. The flaw resides in the BetterImageGallery API Controller, specifically within the ImageHandler action. Attackers can traverse the file system by manipulating path parameters passed to the image handler endpoint. Successful exploitation allows unauthenticated retrieval of the Web.Config file, which exposes the ASP.NET MachineKey. Disclosure of the MachineKey enables downstream attacks including ViewState forgery and potential remote code execution. The vulnerability is tracked under [CWE-284: Improper Access Control].

Critical Impact

Unauthenticated attackers can retrieve Web.Config and extract the ASP.NET MachineKey, enabling ViewState deserialization attacks against the host application.

Affected Products

  • mojoPortal versions <=2.9.0.1
  • BetterImageGallery API Controller component
  • ASP.NET applications relying on the exposed MachineKey

Discovery Timeline

  • 2025-04-21 - CVE-2025-28367 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-28367

Vulnerability Analysis

The vulnerability exists in the BetterImageGallery API Controller's ImageHandler action within mojoPortal <=2.9.0.1. The handler accepts a file path parameter without properly validating or canonicalizing the input against a restricted directory. Attackers supply directory traversal sequences such as ../ to escape the intended image directory. This allows the handler to serve arbitrary files residing on the web server file system.

The most impactful target is Web.Config, the root ASP.NET configuration file. This file contains the <machineKey> element, which stores the validation and decryption keys used to sign and encrypt ViewState, forms authentication tickets, and session identifiers. Exposure of the MachineKey breaks the integrity guarantees of the entire ASP.NET application.

Root Cause

The root cause is improper access control [CWE-284] combined with missing path canonicalization. The ImageHandler action does not enforce that resolved file paths remain within the designated image gallery directory. No allowlist of file extensions or directory boundaries is applied before the file is read and returned in the HTTP response.

Attack Vector

Exploitation occurs remotely over the network without authentication. An attacker sends a crafted HTTP request to the BetterImageGallery endpoint with a path parameter containing traversal sequences pointing to Web.Config. The server returns the file contents in the response body. The attacker parses the returned XML and extracts the validationKey and decryptionKey values. These keys can then be used with tools such as ysoserial.net to forge signed ViewState payloads and achieve code execution on the server.

No verified proof-of-concept code has been published. Refer to the 0xLanks CVE-2025-28367 Advisory for exploitation details.

Detection Methods for CVE-2025-28367

Indicators of Compromise

  • HTTP requests to BetterImageGallery endpoints containing ../ or URL-encoded traversal sequences such as %2e%2e%2f
  • Web server access logs showing successful 200 responses for image handler requests referencing Web.Config or files outside the gallery directory
  • Unexpected outbound requests or ViewState-based POSTs following suspicious inbound image handler activity

Detection Strategies

  • Inspect IIS or reverse proxy logs for requests to ImageHandler action paths containing directory traversal patterns
  • Deploy web application firewall rules that block traversal sequences in query strings targeting mojoPortal endpoints
  • Alert on any HTTP response served by BetterImageGallery that returns content types inconsistent with image data

Monitoring Recommendations

  • Monitor Web.Config file read events on the mojoPortal web server host
  • Correlate anomalous image handler traffic with subsequent ViewState __VIEWSTATE POSTs that fail signature validation or trigger deserialization
  • Track EPSS trends for CVE-2025-28367, currently 2.148% with percentile 79.987, to prioritize response

How to Mitigate CVE-2025-28367

Immediate Actions Required

  • Restrict network access to mojoPortal administrative and gallery endpoints where feasible
  • Rotate the ASP.NET MachineKey values if exposure is suspected, then re-encrypt sensitive configuration sections
  • Review web server logs for historical exploitation attempts against BetterImageGalleryImageHandler requests

Patch Information

No vendor-confirmed patched version is referenced in the advisory data. Consult the GitHub MojoPortal Repository for the latest releases and the 0xLanks CVE-2025-28367 Advisory for remediation guidance. Upgrade to a release later than 2.9.0.1 once a fixed version is published by the vendor.

Workarounds

  • Disable or remove the BetterImageGallery feature until a fixed version is available
  • Deploy WAF rules that block traversal patterns such as ../, ..\, and their URL-encoded equivalents on gallery endpoints
  • Use aspnet_regiis -pe to encrypt the <machineKey> and <connectionStrings> sections of Web.Config to reduce impact of file disclosure
bash
# Encrypt sensitive Web.Config sections to reduce disclosure impact
aspnet_regiis -pef "system.web/machineKey" "C:\inetpub\wwwroot\mojoportal"
aspnet_regiis -pef "connectionStrings" "C:\inetpub\wwwroot\mojoportal"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.