CVE-2018-25184

The vulnerability is a local file inclusion (LFI) in Surreal ToDo version 0.6.1.2. The application fails to sanitize the content parameter in index.php, allowing directory traversal sequences such as ../../ to be injected. This enables an attacker to include arbitrary files from the server's filesystem [1].

Exploitation does not require authentication. An attacker can send a crafted HTTP GET request to index.php?content=../../path/to/file. The PoC demonstrates reading win.ini on a Windows server, but any readable file can be targeted. The application processes the parameter without proper validation, leading to file inclusion [1].

Impact is information disclosure. An attacker can read sensitive system files, such as configuration files (e.g., config.php), initialization files, or other application data. This could expose credentials, database settings, or other secrets, potentially leading to further compromise.

The vendor has not released a patch; the software appears unmaintained. Users should consider upgrading or removing the application if it is exposed. The vulnerability is listed in Exploit-DB, indicating public exploit availability [1].