CultBooking 2.0.4 (lang) Local File Inclusion Vulnerability

2011-01-22T00:00:00
ID ZSL-2011-4988
Type zeroscience
Reporter Gjoko Krstic
Modified 2011-01-22T00:00:00

Description

Title: CultBooking 2.0.4 (lang) Local File Inclusion Vulnerability
Advisory ID: ZSL-2011-4988
Type: Local
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 22.01.2011

Summary

Open source hotel booking system (Internet Booking Engine (IBE)). Via a central api called CultSwitch it is possible to make bookings and set the actual availabilities in the hotels pms. This is easy to install and easy to integrate with full support.

Description

CultBooking suffers from a local file inlcusion/disclosure (LFI/FD) vulnerability when input passed thru the 'lang' parameter to cultbooking.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

Vendor

Cultuzz Digital Media GmbH - <http://www.cultuzz.com>

Affected Version

2.0.4

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vendor Status

[16.01.2011] Vulnerability discovered.
[16.01.2011] Initial contact with the vendor.
[20.01.2011] No response from vendor.
[22.01.2011] Public advisory released.
[07.02.2011] Vendor releases version 2.0.5 to address this issue.

PoC

cultbooking_lfi.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.exploit-db.com/exploits/16028/>
[2] <http://www.exploit-db.com/ghdb/3677/>
[3] <http://secunia.com/advisories/43036/>
[4] <http://www.securityfocus.com/bid/45965>
[5] <http://securityreason.com/exploitalert/9871>
[6] <http://securityreason.com/exploitalert/9877>
[7] <http://packetstormsecurity.org/files/97807>
[8] <http://osvdb.org/show/osvdb/70632>
[9] <http://xforce.iss.net/xforce/xfdb/64855>

Changelog

[22.01.2011] - Initial release
[24.01.2011] - Added reference [3] and [4]
[25.01.2011] - Added reference [5], [6] and [7]
[26.01.2011] - Added reference [8]
[27.01.2011] - Added reference [9]
[07.02.2011] - Updated vendor status

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;