@gnyman@infosec.exchange No kidding? I can only recommend anyone doing research on N-Able to avoid going through their “bug bounty” program. They actively cite the program rules to shut down disclosure, namely I cannot show how trivial the attack is to pull off by using mitmproxy. So there is no way for me to challenge their obviously flawed scoring of the vulnerability.

ref https://infosec.exchange/@harrysintonen/112999715864274188

Post mortem:

This issue was made possible by a misconfiguration whereas “AllowOverride none” was used by accident. That made it possible to read the configuration file even though .htaccess file preventing it is in place.

So this in part this specific issue was a mistake by the admin (read: myself). I think it still highlights an issue that could occur in many other ways as well. It is best to restrict network access to servers when upgrading them.

PS: If you can’t do things right at least make it possible for others to learn from your mistakes. 🙂