Frontaccounting is using the function clean_file_name() to eliminate '../' in the file name submitted by the user to avoid directory traversal vulnerability.
However, some variables do not use the function clean_file_name() in admin/inst_lang.php, which can cause attackers submit the language package containing the language code of '../'. Affter adding successfully, by deleting it, the attacker can emptied specified folder like the examples.
admin/inst_lang.php:156
admin/inst_lang.php:240
0x01 Example:empty admin folder
Before clearing the admin folder
The administrator logs in and creates a new language pack
Set the language code to ../admin and save it
Delete the language pack you just created
After deleting successfully, the admin folder will be emptied
The text was updated successfully, but these errors were encountered:
Zh3-H4ck
changed the title
a Directory Traversal vulnerability
A Directory Traversal vulnerability
Nov 12, 2019
test version:2.4.7
0x00 description
Frontaccounting is using the function clean_file_name() to eliminate '../' in the file name submitted by the user to avoid directory traversal vulnerability.
However, some variables do not use the function clean_file_name() in admin/inst_lang.php, which can cause attackers submit the language package containing the language code of '../'. Affter adding successfully, by deleting it, the attacker can emptied specified folder like the examples.
admin/inst_lang.php:156
admin/inst_lang.php:240

0x01 Example:empty admin folder
Before clearing the admin folder

The administrator logs in and creates a new language pack


Set the language code to ../admin and save it

Delete the language pack you just created

After deleting successfully, the admin folder will be emptied

The text was updated successfully, but these errors were encountered: