Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File Inclusion Attack #2 #573

Closed
Shinkurt opened this issue Dec 18, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@Shinkurt
Copy link

commented Dec 18, 2016

There is a File Inclusion attack in the file Piwigo/admin/languages.php

34: $page['tab'] = $_GET['tab'];  //
46: include (PHPWG_ROOT_PATH . 'admin/languages_' . $page['tab'] . '.php');  // languages_installed.php

A user controlled variable is being sent straight to include(), this should have checks for allowed strings before that.

Thanks,

@plegall plegall closed this in 4b33a0f Dec 19, 2016

@Shinkurt

This comment has been minimized.

Copy link
Author

commented Dec 19, 2016

use CVE-2016-10085 for this.

plegall added a commit that referenced this issue Jan 1, 2017

@plegall plegall self-assigned this Jan 1, 2017

@plegall plegall added the Type: Bug label Jan 1, 2017

@plegall plegall added this to the 2.8.5 milestone Jan 1, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.