← Advisories

iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability

Medium

Advisory ID

ZSL-2011-5041

Release Date

16 September 2011

Vendor

net4visions.com - http://www.net4visions.com

Affected Version

<= 1.4.1 Build 10182009

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

Summary

iBrowser is an image browser plugin for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor developed by net4visions. It allows image browsing, resizing on upload, directory management and more with the integration of the phpThumb image library.

Description

iBrowser suffers from a file inlcusion vulnerability (LFI) / file disclosure vulnerability (FD) when input passed thru the 'lang' parameter to ibrowser.php, loadmsg.php, rfiles.php and symbols.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

/langs/lang.class.php
----------------
function loadData() {
   global $cfg;
   include( dirname(__FILE__) . '/' . $this -> lang.'.php' );
   $this -> charset = $lang_charset;
   $this -> dir = $lang_direction;
   $this -> lang_data = $lang_data;
   unset( $lang_data );
   include( dirname(__FILE__) . '/' . $cfg['lang'].'.php' );
   $this -> default_lang_data = $lang_data;
}

Proof of Concept

ibrowser_lfi.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.securityfocus.com/bid/49663

[2]http://www.exploit-db.com/exploits/17850/

[3]http://packetstormsecurity.org/files/105187

[4]http://1337day.com/exploits/16928

[5]http://securityreason.com/wlb_show/WLB-2011090087

[6]http://xforce.iss.net/xforce/xfdb/69917

Changelog

16.09.2011Initial release

17.09.2011Added reference [1] and [2]

18.09.2011Added reference [3]

20.09.2011Added reference [4] and [5]

22.09.2011Added reference [6]