iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability

Title: iBrowser Plugin v1.4.1 (lang) Local File Inclusion Vulnerability
Advisory ID: ZSL-2011-5041
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 16.09.2011
Summary
iBrowser is an image browser plugin for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor developed by net4visions. It allows image browsing, resizing on upload, directory management and more with the integration of the phpThumb image library.
Description
iBrowser suffers from a file inlcusion vulnerability (LFI) / file disclosure vulnerability (FD) when input passed thru the 'lang' parameter to ibrowser.php, loadmsg.php, rfiles.php and symbols.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

--------------------------------------------------------------------------------

/langs/lang.class.php
----------------
67: function loadData() {
68: global $cfg;
69: include( dirname(__FILE__) . '/' . $this -> lang.'.php' );
70: $this -> charset = $lang_charset;
71: $this -> dir = $lang_direction;
72: $this -> lang_data = $lang_data;
73: unset( $lang_data );
74: include( dirname(__FILE__) . '/' . $cfg['lang'].'.php' );
75: $this -> default_lang_data = $lang_data;
76: }

--------------------------------------------------------------------------------

Vendor
net4visions.com - http://www.net4visions.com
Affected Version
<= 1.4.1 Build 10182009
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
N/A
PoC
ibrowser_lfi.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.securityfocus.com/bid/49663
[2] http://www.exploit-db.com/exploits/17850/
[3] http://packetstormsecurity.org/files/105187
[4] http://1337day.com/exploits/16928
[5] http://securityreason.com/wlb_show/WLB-2011090087
[6] http://xforce.iss.net/xforce/xfdb/69917
Changelog
[16.09.2011] - Initial release
[17.09.2011] - Added reference [1] and [2]
[18.09.2011] - Added reference [3], [4] and [5]
[22.09.2011] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk