Home / vulnerabilities Monsta FTP 1.3 Local File Inclusion
Posted on 13 September 2013
Source : packetstormsecurity.org Link
Author: Jason Whelan
PacketStorm: exploitdev
Email: exploitdevj@gmail.com
Target Software: Monsta FTP v1.3
Vendor URL: http://www.monstaftp.com
Vendor Contacted: 09/09/2013
Vendor Reponse: 10/09/2013
Hotfix Release: 11/09/2013
Local File Inclusion
This script does not properly sanitize user input before including the
language settings file in index.php.
An attacker can exploit this vulnerability by sending a malicious "lang"
$_POST string. Versions <=1.3 prior to hotfix are affected.
Vulnerable Code
Line 90:
if ($_SESSION["lang"] == "" || isset($_POST["lang"]))
setLangFile();
include("languages/".$_SESSION["lang"]);
Line 3771:
function setLangFile() {
// The order of these determines the proper display
if ($_COOKIE["lang"] != "")
$lang = $_COOKIE["lang"];
if ($_SESSION["lang"] != "")
$lang = $_SESSION["lang"];
if (isset($_POST["lang"]))
$lang = $_POST["lang"];
if ($lang == "") {
$dir = "languages";
if (is_dir($dir)) {
if ($dh = opendir($dir)) {
while (($file = readdir($dh)) !== false) {
if ($file != "." && $file != "..") {
include("languages/".$file);
if ($file_lang_default == 1)
$lang = $file;
}
}
closedir($dh);
}
}
}
// Sanitize file path
$lang = santizePath($lang);
$_SESSION["lang"] = $lang;
}
