Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Bugs] Abitrary File Read #48

Open
trichimtrich opened this issue May 25, 2017 · 1 comment
Open

[Security Bugs] Abitrary File Read #48

trichimtrich opened this issue May 25, 2017 · 1 comment
Assignees
Labels

Comments

@trichimtrich
Copy link

trichimtrich commented May 25, 2017

Hi, there is an abitrary file read bug in

if(isset($_GET['url']) && !empty($_GET['url'])) {		
	$file_path = HELP.'/'.$sysconf['default_lang'].'/'.$_GET['url'];
	if(!file_exists($file_path)) {
		echo __('File Not Found');
	} else {
		//Convert Markdown to HTML
		$markdown_text = file_get_contents($file_path); //bibliography/add-new-bibliography.md

We can travel directory path and use abitrary filename in $_GET['url'].
So attacker can read any file (include source code, config) in the system.
PoC

2017_05_26_lfi1

This bug is excutable by everyone who has librarian role (single).

@dicarve
Copy link
Collaborator

dicarve commented Jun 5, 2017

Hi trichimtrich,

Thank you very much for your findings on this security issue, hopefully we can resolve this issue ASAP

Regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants