Mirage
NovaPan's log viewer seems a little too helpful. Can you see past the mirage?
The Scenario
NovaPan is a self-hosted hosting control panel founded in 2016 and bundled by a handful of European budget hosts, with licences starting at $9/month per server and somewhere around 30,000 active installs. The log-viewer feature was refactored two releases ago when a community contributor sent in a patch hardening the input handler, and the third-party auditors marked it 'low risk' after running their usual checklist against it. The contributor's patch did exactly what its commit message said it did, and nothing more.
Challenge Intel
Synopsis
A beginner local file inclusion lab hiding behind a hosting panel's log viewer.
What It Is
NovaPan is a hosting control panel whose log-viewing feature looks harmless on the surface. The auditors waved it through because naive traversal attempts bounced off a basic filter, but a closer look at how paths are resolved tells a different story. A good first contact with path-traversal and LFI-style thinking.
Who It's For
Beginners who want a friendly introduction to local file inclusion and path-traversal concepts.
Skills You'll Practice
- Path traversal against filtered inputs
- Local file inclusion fundamentals
- Filter-bypass reasoning for path handlers
- Recognising file-viewer abuse patterns
- Reading server responses for inclusion tells
What You'll Gain
- A confidence-building first LFI solve
- Working knowledge of how filters fail at the edges
- Appreciation for why shallow audits miss real bugs
- Vocabulary for describing traversal findings in reports