Pacer Edition CMS 2.1 (l param) Local File Inclusion Vulnerability

Title: Pacer Edition CMS 2.1 (l param) Local File Inclusion Vulnerability
Advisory ID: ZSL-2011-5019
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 10.06.2011
Summary
The 'Pacer Edition' is a Content Management System(CMS) written using PHP 5.2.9 as a minimum requirement. The Pacer Edition CMS was based from Website baker core and has been completely redesigned with a whole new look and feel along with many new advanced features to allow you to build sites exactly how you want and make them, 100% yours!
Description
Pacer Edition CMS suffers from a local file inlcusion vulnerability when input passed thru the 'l' parameter to admin/login/forgot/index.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

--------------------------------------------------------------------------------

/admin/login/forgot/index.php
----------------
59: $lang_id = ((isset($_GET['l'])) ? $_GET['l'] : '');
60: if ($lang_id == '') $lang_id = (LANGUAGE) ? LANGUAGE : (DEFAULT_LANGUAGE) ? DEFAULT_LANGUAGE : 'EN';
61: if (!file_exists(PE_PATH.'/languages/'.$lang_id.'.php')) $lang_id = 'EN';
62: require (PE_PATH.'/languages/'.$lang_id.'.php');

--------------------------------------------------------------------------------

Vendor
The Pacer Edition - http://www.thepaceredition.com
Affected Version
RC 2.1 (SVN: 867)
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
N/A
PoC
pacercms_lfi.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/17379/
[2] http://packetstormsecurity.org/files/102162
[3] http://xforce.iss.net/xforce/xfdb/67973
[4] http://www.chnhack.com/Security/2011/0611/34690.html
[5] http://www.securityfocus.com/bid/48222
Changelog
[10.06.2011] - Initial release
[11.06.2011] - Added reference [3]
[12.06.2011] - Added reference [4]
[13.06.2011] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk