Local PHP File Inclusion in ResourceSpace

High-Tech Bridge Security Research Lab discovered vulnerability in ResourceSpace, which can be exploited to include arbitrary local PHP file, execute PHP code, and compromise vulnerable web application and even entire web server on which the application is hosted.

The vulnerability exists due to the absence of filtration of the “defaultlanguage” HTTP GET parameter received from the user before including PHP file using the “include()” PHP function in “/pages/setup.php” script. The installation script “/pages/setup.php” remains on the system after installation by default and is remotely accessible to non-authenticated users.

A simple PoC below includes a local file “/tmp/file.php”:

http://[host]/pages/setup.php?defaultlanguage=…/…/…/…/…/tmp/file