FrontAccountingERP / FA

Official FrontAccounting mirror repository
95 stars 98 forks source link

A Directory Traversal vulnerability #40

Closed Zh3-H4ck closed 2 years ago

Zh3-H4ck commented 5 years ago

test version:2.4.7

0x00 description

Frontaccounting is using the function clean_file_name() to eliminate '../' in the file name submitted by the user to avoid directory traversal vulnerability.

2019-11-12_103343

However, some variables do not use the function clean_file_name() in admin/inst_lang.php, which can cause attackers submit the language package containing the language code of '../'. Affter adding successfully, by deleting it, the attacker can emptied specified folder like the examples.

admin/inst_lang.php:156

2019-11-12_104009

admin/inst_lang.php:240 2019-11-12_104205

0x01 Example:empty admin folder

  1. Before clearing the admin folder 2019-11-12_113112

  2. The administrator logs in and creates a new language pack 2019-11-12_112847 2019-11-12_112935

  3. Set the language code to ../admin and save it 2019-11-12_113003

  4. Delete the language pack you just created 2019-11-12_113206

  5. After deleting successfully, the admin folder will be emptied 2019-11-12_113248

FrontAccountingERP commented 4 years ago

Yes, indeed. Fix is added to the repo.

cambell-prince commented 3 years ago

Yes, indeed. Fix is added to the repo.

Should this issue be closed?

Zh3-H4ck commented 2 years ago

ok