Directory traversal vulnerability in users.php in The Address Book 1.04e allows remote attackers to include arbitrary files via a .. (dot dot) in the language parameter.
The Address Book 1.04e is vulnerable to a critical directory traversal attack, allowing attackers to read arbitrary files on the server. This vulnerability, exploitable via the language parameter in users.php, can lead to sensitive data disclosure and potentially complete system compromise.
Step 1: Payload Delivery: The attacker crafts a malicious URL targeting users.php with a modified language parameter.
Step 2: Malicious Parameter: The language parameter is set to a string containing ../ sequences to traverse the directory structure (e.g., language=../../../../etc/passwd).
Step 3: File Inclusion: The users.php script, without proper validation, uses the attacker-controlled language parameter to construct a file path for inclusion.
Step 4: Arbitrary File Read: The server attempts to include the specified file (e.g., /etc/passwd), and the contents of the file are then displayed or processed by the web server, leading to information disclosure.
The vulnerability stems from insufficient input validation in the users.php script when handling the language parameter. The script directly incorporates the user-supplied value into a file inclusion operation without properly sanitizing or validating it. Specifically, the code likely uses a function like include() or require() with the unsanitized language parameter. By injecting a crafted string containing ../ sequences, an attacker can navigate outside the intended directory and include arbitrary files, such as configuration files (e.g., config.php) containing database credentials or other sensitive information. The root cause is a lack of input validation and improper sanitization of user-supplied data before its use in a file inclusion operation. This allows for path traversal and arbitrary file inclusion.