You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Frontaccounting is using the function clean_file_name() to eliminate '../' in the file name submitted by the user to avoid directory traversal vulnerability.
However, some variables do not use the function clean_file_name() in admin/inst_lang.php, which can cause attackers submit the language package containing the language code of '../'. Affter adding successfully, by deleting it, the attacker can emptied specified folder like the examples.
admin/inst_lang.php:156
admin/inst_lang.php:240
0x01 Example:empty admin folder
Before clearing the admin folder
The administrator logs in and creates a new language pack
Set the language code to ../admin and save it
Delete the language pack you just created
After deleting successfully, the admin folder will be emptied
The text was updated successfully, but these errors were encountered:
Zh3-H4ck
changed the title
a Directory Traversal vulnerability
A Directory Traversal vulnerability
Nov 12, 2019
test version:2.4.7
0x00 description
Frontaccounting is using the function clean_file_name() to eliminate '../' in the file name submitted by the user to avoid directory traversal vulnerability.
However, some variables do not use the function clean_file_name() in admin/inst_lang.php, which can cause attackers submit the language package containing the language code of '../'. Affter adding successfully, by deleting it, the attacker can emptied specified folder like the examples.
admin/inst_lang.php:156
admin/inst_lang.php:240
![2019-11-12_104205](https://user-images.githubusercontent.com/33822448/68640053-8922e500-0541-11ea-93fa-f75c5f173761.png)
0x01 Example:empty admin folder
Before clearing the admin folder
![2019-11-12_113112](https://user-images.githubusercontent.com/33822448/68640065-8e802f80-0541-11ea-9d7e-461486d20516.png)
The administrator logs in and creates a new language pack
![2019-11-12_112847](https://user-images.githubusercontent.com/33822448/68640076-97710100-0541-11ea-9786-cc14f20fd813.png)
![2019-11-12_112935](https://user-images.githubusercontent.com/33822448/68640080-993ac480-0541-11ea-9366-09cb1cf5514e.png)
Set the language code to ../admin and save it
![2019-11-12_113003](https://user-images.githubusercontent.com/33822448/68640086-9c35b500-0541-11ea-93d4-1902a895fe8a.png)
Delete the language pack you just created
![2019-11-12_113206](https://user-images.githubusercontent.com/33822448/68640093-9fc93c00-0541-11ea-8d40-156be986b08c.png)
After deleting successfully, the admin folder will be emptied
![2019-11-12_113248](https://user-images.githubusercontent.com/33822448/68640098-a35cc300-0541-11ea-9909-7be66130ba7b.png)
The text was updated successfully, but these errors were encountered: