Frontaccounting is using the function clean_file_name() to eliminate '../' in the file name submitted by the user to avoid directory traversal vulnerability.
However, some variables do not use the function clean_file_name() in admin/inst_lang.php, which can cause attackers submit the language package containing the language code of '../'. Affter adding successfully, by deleting it, the attacker can emptied specified folder like the examples.
admin/inst_lang.php:156
admin/inst_lang.php:240
0x01 Example:empty admin folder
Before clearing the admin folder
The administrator logs in and creates a new language pack
Set the language code to ../admin and save it
Delete the language pack you just created
After deleting successfully, the admin folder will be emptied
test version:2.4.7
0x00 description
Frontaccounting is using the function clean_file_name() to eliminate '../' in the file name submitted by the user to avoid directory traversal vulnerability.
However, some variables do not use the function clean_file_name() in admin/inst_lang.php, which can cause attackers submit the language package containing the language code of '../'. Affter adding successfully, by deleting it, the attacker can emptied specified folder like the examples.
admin/inst_lang.php:156
admin/inst_lang.php:240![2019-11-12_104205](https://user-images.githubusercontent.com/33822448/68640053-8922e500-0541-11ea-93fa-f75c5f173761.png)
0x01 Example:empty admin folder
Before clearing the admin folder![2019-11-12_113112](https://user-images.githubusercontent.com/33822448/68640065-8e802f80-0541-11ea-9d7e-461486d20516.png)
The administrator logs in and creates a new language pack
![2019-11-12_112935](https://user-images.githubusercontent.com/33822448/68640080-993ac480-0541-11ea-9366-09cb1cf5514e.png)
Set the language code to ../admin and save it![2019-11-12_113003](https://user-images.githubusercontent.com/33822448/68640086-9c35b500-0541-11ea-93d4-1902a895fe8a.png)
Delete the language pack you just created![2019-11-12_113206](https://user-images.githubusercontent.com/33822448/68640093-9fc93c00-0541-11ea-8d40-156be986b08c.png)
After deleting successfully, the admin folder will be emptied![2019-11-12_113248](https://user-images.githubusercontent.com/33822448/68640098-a35cc300-0541-11ea-9909-7be66130ba7b.png)