CultBooking 2.0.4 (lang) Local File Inclusion Vulnerability

Title: CultBooking 2.0.4 (lang) Local File Inclusion Vulnerability
Advisory ID: ZSL-2011-4988
Type: Local
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 22.01.2011
Summary
Open source hotel booking system (Internet Booking Engine (IBE)). Via a central api called CultSwitch it is possible to make bookings and set the actual availabilities in the hotels pms. This is easy to install and easy to integrate with full support.
Description
CultBooking suffers from a local file inlcusion/disclosure (LFI/FD) vulnerability when input passed thru the 'lang' parameter to cultbooking.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.
Vendor
Cultuzz Digital Media GmbH - http://www.cultuzz.com
Affected Version
2.0.4
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
[16.01.2011] Vulnerability discovered.
[16.01.2011] Initial contact with the vendor.
[20.01.2011] No response from vendor.
[22.01.2011] Public advisory released.
[07.02.2011] Vendor releases version 2.0.5 to address this issue.
PoC
cultbooking_lfi.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/16028/
[2] http://www.exploit-db.com/ghdb/3677/
[3] http://secunia.com/advisories/43036/
[4] http://www.securityfocus.com/bid/45965
[5] http://securityreason.com/exploitalert/9871
[6] http://securityreason.com/exploitalert/9877
[7] http://packetstormsecurity.org/files/97807
[8] http://osvdb.org/show/osvdb/70632
[9] http://xforce.iss.net/xforce/xfdb/64855
Changelog
[22.01.2011] - Initial release
[24.01.2011] - Added reference [3] and [4]
[25.01.2011] - Added reference [5], [6] and [7]
[26.01.2011] - Added reference [8]
[27.01.2011] - Added reference [9]
[07.02.2011] - Updated vendor status
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk