Frontaccounting is using the function clean_file_name() to eliminate '../' in the file name submitted by the user to avoid directory traversal vulnerability.
However, some variables do not use the function clean_file_name() in admin/inst_lang.php, which can cause attackers submit the language package containing the language code of '../'. Affter adding successfully, by deleting it, the attacker can emptied specified folder like the examples.
admin/inst_lang.php:156
admin/inst_lang.php:240
0x01 Example:empty admin folder
Before clearing the admin folder
The administrator logs in and creates a new language pack
Set the language code to ../admin and save it
Delete the language pack you just created
After deleting successfully, the admin folder will be emptied
test version:2.4.7
0x00 description
Frontaccounting is using the function clean_file_name() to eliminate '../' in the file name submitted by the user to avoid directory traversal vulnerability.
However, some variables do not use the function clean_file_name() in admin/inst_lang.php, which can cause attackers submit the language package containing the language code of '../'. Affter adding successfully, by deleting it, the attacker can emptied specified folder like the examples.
admin/inst_lang.php:156
admin/inst_lang.php:240
0x01 Example:empty admin folder
Before clearing the admin folder
The administrator logs in and creates a new language pack
Set the language code to ../admin and save it
Delete the language pack you just created
After deleting successfully, the admin folder will be emptied