Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LFI #107

Closed
Shinkurt opened this issue Feb 1, 2016 · 1 comment
Closed

LFI #107

Shinkurt opened this issue Feb 1, 2016 · 1 comment
Labels
information

Comments

@Shinkurt
Copy link

Shinkurt commented Feb 1, 2016

In \apps\phpsysinfo3.1.12/language/language.php

60: echo file_get_contents(APP_ROOT . '/language/' . $lang . '.xml');

is presented where $lang is defined as:

52: $lang = basename($_GET['lang']);

Which can be exploited like

localhost/phpsysinfo/language/language.php?lang=../../../stufftoinclude

which can be extended with nullbytes to contain any other file that isn't XML too.

Thanks,
Paulos
@namiltd
Copy link
Member

namiltd commented Feb 1, 2016

language.php line 49: trim(htmlspecialchars(basename($_GET['lang']))).'.xml'))
truncate the name, chars like "../../../" are deleted.
Additionally fixed : 60b5bbb , the characters are now filtered.

Source code is not vulnerable.

namiltd added a commit that referenced this issue Feb 1, 2016
@namiltd
issue #107 fix
60b5bbb
@namiltd namiltd closed this as completed Feb 2, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
information
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@namiltd @Shinkurt