Jafar Abo Nada

Published On: 17 May 2019


Local File Inclusion in peering.google.com

Google | Web

I found an Local File Inclusion 'LFI' Vulnerability in "Google's Edge Network".


As it is known, the impacts of exploiting a Local File Inclusion (LFI) vulnerability vary from information disclosure to complete compromise of the system. Even in cases where the included code is not executed, it can still give an attacker enough valuable information to be able to compromise the system,As is the case of the security vulnerability we are reporting.


disclosed Local server Files

Reproduction Steps



Open any picture in another window for example: "https://peering.google.com/static/images/couch-ipad.png".


Add one of this value at the end of the link: ("../../../../../../../etc/passwd") OR ("../../../../../../../proc/self/cmdline") OR ("../../../../../../../proc/self/stat") OR  ("../../../../../../../proc/self/status").


Now you are viewing sensitive information about the server.

Example Leak Data:

1.The attacker gets information about the server and Kernel data. PoC: "/proc/version" OR "/proc/cpuinfo" OR "proc/meminfo") Example leak data: "Linux version 3.*.* #1 SMP" 2.The attacker gets information about the files on the server. PoC:"proc/self/cmdline") Example: "server_software=Google App Engine/1.*.* 3.The attacker gets information about the internal network. PoC:"proc/self/cmdline") Example:"apihost_address=169.*.*.253:* /server_address=169.*.*.2:*" 4.The attacker gets information about the operations and the time they run on the server. PoC: "proc/self/stat") Example: "(python27g_runti)" 5.The attacker gets sensitive information about the operation processes and the ability of the system that can contribute well in measuring the size of denial of service attacks. PoC: "proc/self/status"). Example: "FDSize: 11, VmSize: 1134532 kB, VmRSS: 134860 kB, Threads: 17" and More...


Jafar 22 Jun 2018

The report was submitted

Google 22 Jun 2018

First Responce

Google 22 Jun 2018

vulnerability was accepted

Google 10 Jul 2018

Bounty awarded Thank you for reporting this bug. As part of Google's Vulnerability Reward Program, the panel has decided to issue a reward of $3133.70.

Google 22 Jul 2018

Vulnerability Fixed Our systems show that all the bugs we decided to create based on your report have been fixed. Feel free to check and let us know if it looks OK o ... See More