← Advisories

CultBooking 2.0.4 (lang) Local File Inclusion Vulnerability

High
Advisory ID
ZSL-2011-4988
Release Date
22 January 2011
Vendor
Cultuzz Digital Media GmbH - http://www.cultuzz.com
Affected Version
2.0.4
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41
Summary

Open source hotel booking system (Internet Booking Engine (IBE)). Via a central api called CultSwitch it is possible to make bookings and set the actual availabilities in the hotels pms. This is easy to install and easy to integrate with full support.

Description

CultBooking suffers from a local file inlcusion/disclosure (LFI/FD) vulnerability when input passed thru the 'lang' parameter to cultbooking.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

Proof of Concept
cultbooking_lfi.txtTXT
Disclosure Timeline
16.01.2011Vulnerability discovered.
16.01.2011Initial contact with the vendor.
20.01.2011No response from vendor.
22.01.2011Public advisory released.
07.02.2011Vendor releases version 2.0.5 to address this issue.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.exploit-db.com/exploits/16028/
[2]http://www.exploit-db.com/ghdb/3677/
[3]http://secunia.com/advisories/43036/
[4]http://www.securityfocus.com/bid/45965
[5]http://securityreason.com/exploitalert/9871
[6]http://securityreason.com/exploitalert/9877
[7]http://packetstormsecurity.org/files/97807
[8]http://osvdb.org/show/osvdb/70632
[9]http://xforce.iss.net/xforce/xfdb/64855
Changelog
22.01.2011Initial release
24.01.2011Added reference [3] and [4]
25.01.2011Added reference [5], [6] and [7]
26.01.2011Added reference [8]
27.01.2011Added reference [9]
07.02.2011Updated vendor status