iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability
Title: iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability
Advisory ID: ZSL-2011-5041
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 16.09.2011
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
[2] http://www.exploit-db.com/exploits/17850/
[3] http://packetstormsecurity.org/files/105187
[4] http://1337day.com/exploits/16928
[5] http://securityreason.com/wlb_show/WLB-2011090087
[6] http://xforce.iss.net/xforce/xfdb/69917
[17.09.2011] - Added reference [1] and [2]
[18.09.2011] - Added reference [3], [4] and [5]
[22.09.2011] - Added reference [6]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2011-5041
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 16.09.2011
Summary
iBrowser is an image browser plugin for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor developed by net4visions. It allows image browsing, resizing on upload, directory management and more with the integration of the phpThumb image library.Description
iBrowser suffers from a file inlcusion vulnerability (LFI) / file disclosure vulnerability (FD) when input passed thru the 'lang' parameter to ibrowser.php, loadmsg.php, rfiles.php and symbols.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.--------------------------------------------------------------------------------
/langs/lang.class.php
----------------
67: function loadData() {
68: global $cfg;
69: include( dirname(__FILE__) . '/' . $this -> lang.'.php' );
70: $this -> charset = $lang_charset;
71: $this -> dir = $lang_direction;
72: $this -> lang_data = $lang_data;
73: unset( $lang_data );
74: include( dirname(__FILE__) . '/' . $cfg['lang'].'.php' );
75: $this -> default_lang_data = $lang_data;
76: }
--------------------------------------------------------------------------------
Vendor
net4visions.com - http://www.net4visions.comAffected Version
<= 1.4.1 Build 10182009Tested On
Microsoft Windows XP Professional SP3 (EN)Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
N/APoC
ibrowser_lfi.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.securityfocus.com/bid/49663[2] http://www.exploit-db.com/exploits/17850/
[3] http://packetstormsecurity.org/files/105187
[4] http://1337day.com/exploits/16928
[5] http://securityreason.com/wlb_show/WLB-2011090087
[6] http://xforce.iss.net/xforce/xfdb/69917
Changelog
[16.09.2011] - Initial release[17.09.2011] - Added reference [1] and [2]
[18.09.2011] - Added reference [3], [4] and [5]
[22.09.2011] - Added reference [6]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
