← Advisories

iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability

Medium

Advisory ID

ZSL-2011-5042

Release Date

16 September 2011

Vendor

net4visions.com - http://www.net4visions.com

Affected Version

<= 1.2.8 Build 02012008

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

Summary

With iManager you can manage your files/images on your webserver, and it provides user interface to most of the phpThumb() functions. It works either stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor.

Description

iManager suffers from a file inlcusion vulnerability (LFI) / file disclosure vulnerability (FD) when input passed thru the 'lang' parameter to imanager.php, rfiles.php, symbols.php, colorpicker.php, loadmsg.php, ov_rfiles.php and examples.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

/langs/lang.class.php
----------------
function loadData() {
   global $cfg;
   include( dirname(__FILE__) . '/' . $this -> lang.'.php' );
   $this -> charset = $lang_charset;
   $this -> dir = $lang_direction;
   $this -> lang_data = $lang_data;
   unset( $lang_data );
   include( dirname(__FILE__) . '/' . $cfg['lang'].'.php' );
   $this -> default_lang_data = $lang_data;
}

Proof of Concept

imanager_lfi.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.securityfocus.com/bid/49663

[2]http://www.exploit-db.com/exploits/17851/

[3]http://packetstormsecurity.org/files/105188

[4]http://secunia.com/advisories/46063/

[5]http://www.securelist.com/en/advisories/46063