CultBooking 2.0.4 (lang) Local File Inclusion Vulnerability
Title: CultBooking 2.0.4 (lang) Local File Inclusion Vulnerability
Advisory ID: ZSL-2011-4988
Type: Local
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 22.01.2011
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
[16.01.2011] Initial contact with the vendor.
[20.01.2011] No response from vendor.
[22.01.2011] Public advisory released.
[07.02.2011] Vendor releases version 2.0.5 to address this issue.
[2] http://www.exploit-db.com/ghdb/3677/
[3] http://secunia.com/advisories/43036/
[4] http://www.securityfocus.com/bid/45965
[5] http://securityreason.com/exploitalert/9871
[6] http://securityreason.com/exploitalert/9877
[7] http://packetstormsecurity.org/files/97807
[8] http://osvdb.org/show/osvdb/70632
[9] http://xforce.iss.net/xforce/xfdb/64855
[24.01.2011] - Added reference [3] and [4]
[25.01.2011] - Added reference [5], [6] and [7]
[26.01.2011] - Added reference [8]
[27.01.2011] - Added reference [9]
[07.02.2011] - Updated vendor status
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2011-4988
Type: Local
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 22.01.2011
Summary
Open source hotel booking system (Internet Booking Engine (IBE)). Via a central api called CultSwitch it is possible to make bookings and set the actual availabilities in the hotels pms. This is easy to install and easy to integrate with full support.Description
CultBooking suffers from a local file inlcusion/disclosure (LFI/FD) vulnerability when input passed thru the 'lang' parameter to cultbooking.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.Vendor
Cultuzz Digital Media GmbH - http://www.cultuzz.comAffected Version
2.0.4Tested On
Microsoft Windows XP Professional SP3 (EN)Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
[16.01.2011] Vulnerability discovered.[16.01.2011] Initial contact with the vendor.
[20.01.2011] No response from vendor.
[22.01.2011] Public advisory released.
[07.02.2011] Vendor releases version 2.0.5 to address this issue.
PoC
cultbooking_lfi.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.exploit-db.com/exploits/16028/[2] http://www.exploit-db.com/ghdb/3677/
[3] http://secunia.com/advisories/43036/
[4] http://www.securityfocus.com/bid/45965
[5] http://securityreason.com/exploitalert/9871
[6] http://securityreason.com/exploitalert/9877
[7] http://packetstormsecurity.org/files/97807
[8] http://osvdb.org/show/osvdb/70632
[9] http://xforce.iss.net/xforce/xfdb/64855
Changelog
[22.01.2011] - Initial release[24.01.2011] - Added reference [3] and [4]
[25.01.2011] - Added reference [5], [6] and [7]
[26.01.2011] - Added reference [8]
[27.01.2011] - Added reference [9]
[07.02.2011] - Updated vendor status
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
