A Directory Traversal vulnerability #40
Comments
Zh3-H4ck
changed the title
|
Yes, indeed. Fix is added to the repo. |
apmuthu
added a commit
to apmuthu/frontac24
that referenced
this issue
Jul 23, 2020
Should this issue be closed? |
|
ok |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
test version:2.4.7
0x00 description
Frontaccounting is using the function clean_file_name() to eliminate '../' in the file name submitted by the user to avoid directory traversal vulnerability.
However, some variables do not use the function clean_file_name() in admin/inst_lang.php, which can cause attackers submit the language package containing the language code of '../'. Affter adding successfully, by deleting it, the attacker can emptied specified folder like the examples.
admin/inst_lang.php:156
admin/inst_lang.php:240
0x01 Example:empty admin folder
Before clearing the admin folder
The administrator logs in and creates a new language pack
Set the language code to ../admin and save it
Delete the language pack you just created
After deleting successfully, the admin folder will be emptied
The text was updated successfully, but these errors were encountered: