You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
language.php line 49: trim(htmlspecialchars(basename($_GET['lang']))).'.xml'))
truncate the name, chars like "../../../" are deleted.
Additionally fixed : 60b5bbb , the characters are now filtered.
In \apps\phpsysinfo3.1.12/language/language.php
60: echo file_get_contents(APP_ROOT . '/language/' . $lang . '.xml');
is presented where $lang is defined as:
52: $lang = basename($_GET['lang']);
Which can be exploited like
localhost/phpsysinfo/language/language.php?lang=../../../stufftoinclude
which can be extended with nullbytes to contain any other file that isn't XML too.
Thanks,
Paulos
The text was updated successfully, but these errors were encountered: