FrontAccountingERP/FA

A Directory Traversal vulnerability

Closed this issue · 3 comments

test version:2.4.7

0x00 description

Frontaccounting is using the function clean_file_name() to eliminate '../' in the file name submitted by the user to avoid directory traversal vulnerability.

2019-11-12_103343

However, some variables do not use the function clean_file_name() in admin/inst_lang.php, which can cause attackers submit the language package containing the language code of '../'. Affter adding successfully, by deleting it, the attacker can emptied specified folder like the examples.

admin/inst_lang.php:156

2019-11-12_104009

admin/inst_lang.php:240
2019-11-12_104205

0x01 Example:empty admin folder

  1. Before clearing the admin folder
    2019-11-12_113112

  2. The administrator logs in and creates a new language pack
    2019-11-12_112847
    2019-11-12_112935

  3. Set the language code to ../admin and save it
    2019-11-12_113003

  4. Delete the language pack you just created
    2019-11-12_113206

  5. After deleting successfully, the admin folder will be emptied
    2019-11-12_113248

Yes, indeed. Fix is added to the repo.

Yes, indeed. Fix is added to the repo.

Should this issue be closed?

ok