Ticket #479 (closed security: fixed)
directory traversal and file read
|Reported by:||dmorton||Owned by:||dmorton|
Adriel T. Desautels from http://www.netragard.com reports that the "lang" variable is not verified and can be used to display system files. More details can be found in their advisory.
In addition to "lang", I also found "prevlang" and "super" that needed to have some verification done.
I was not able to replicate the attack on any Linux system, but the examples given to me appear to be FreeBSD. I suspect the real security flaw is in a php/filesystem issue on particular operating systems. It seems some systems handle "%00" as a null terminated string, and truncate the requested filename - returning a file other than what Maia requested.