iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability

Title: iManager Plugin v1.2.8 (lang) Local File Inclusion Vulnerability
Advisory ID: ZSL-2011-5042
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 16.09.2011
Summary
With iManager you can manage your files/images on your webserver, and it provides user interface to most of the phpThumb() functions. It works either stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor.
Description
iManager suffers from a file inlcusion vulnerability (LFI) / file disclosure vulnerability (FD) when input passed thru the 'lang' parameter to imanager.php, rfiles.php, symbols.php, colorpicker.php, loadmsg.php, ov_rfiles.php and examples.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

--------------------------------------------------------------------------------

/langs/lang.class.php
----------------
67: function loadData() {
68: global $cfg;
69: include( dirname(__FILE__) . '/' . $this -> lang.'.php' );
70: $this -> charset = $lang_charset;
71: $this -> dir = $lang_direction;
72: $this -> lang_data = $lang_data;
73: unset( $lang_data );
74: include( dirname(__FILE__) . '/' . $cfg['lang'].'.php' );
75: $this -> default_lang_data = $lang_data;
76: }

--------------------------------------------------------------------------------

Vendor
net4visions.com - http://www.net4visions.com
Affected Version
<= 1.2.8 Build 02012008
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
N/A
PoC
imanager_lfi.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.securityfocus.com/bid/49663
[2] http://www.exploit-db.com/exploits/17851/
[3] http://packetstormsecurity.org/files/105188
[4] http://secunia.com/advisories/46063/
[5] http://www.securelist.com/en/advisories/46063
[6] http://www.net-security.org/secworld.php?id=11649
[7] http://1337day.com/exploits/16929
[8] http://securityreason.com/wlb_show/WLB-2011090088
[9] http://xforce.iss.net/xforce/xfdb/69918
[10] http://osvdb.org/show/osvdb/75604
Changelog
[16.09.2011] - Initial release
[17.09.2011] - Added reference [1] and [2]
[18.09.2011] - Added reference [3]
[19.09.2011] - Added reference [4]
[20.09.2011] - Added reference [5], [6], [7] and [8]
[22.09.2011] - Added reference [9] and [10]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk