Source: PSIRT-CNA@flexerasoftware.com
Directory traversal vulnerability in users.php in The Address Book 1.04e allows remote attackers to include arbitrary files via a .. (dot dot) in the language parameter.
The Address Book 1.04e is vulnerable to a critical directory traversal attack. This allows attackers to remotely include arbitrary files on the server, potentially leading to remote code execution (RCE) and complete system compromise. Successful exploitation grants attackers unauthorized access to sensitive data and the ability to control the affected server.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request to users.php.
Step 2: Parameter Manipulation: The attacker sets the language parameter in the request to a value containing directory traversal sequences (e.g., ../../../../etc/passwd).
Step 3: Vulnerable Code Execution: The users.php script processes the request and, due to the lack of input validation, directly incorporates the attacker-controlled language parameter into a file inclusion statement (e.g., include($language . '.php');).
Step 4: File Inclusion: The server attempts to include the file specified by the manipulated language parameter, which results in the inclusion of the attacker-specified file (e.g., /etc/passwd).
Step 5: Information Disclosure/RCE: Depending on the included file, the attacker can either gain sensitive information (e.g., user credentials from /etc/passwd) or, if the attacker can upload a malicious script, achieve remote code execution by including the uploaded script.
The vulnerability stems from insufficient input validation in the users.php script when handling the language parameter. The script directly incorporates the user-supplied language parameter into a file inclusion operation without proper sanitization. This allows an attacker to inject ../ sequences to traverse the directory structure and include arbitrary files, such as configuration files, or even upload malicious scripts and execute them. The root cause is a lack of input validation and improper sanitization of user-supplied data before it's used in a file inclusion operation. Specifically, the code fails to check for or remove directory traversal sequences (../) in the language parameter, allowing an attacker to specify a path outside the intended directory.
While no specific APTs are directly linked to this vulnerability, its nature makes it attractive for various threat actors. The ability to achieve RCE could be leveraged by any group seeking to gain initial access or escalate privileges. This vulnerability is not listed on the CISA KEV catalog due to its age and the likely low number of active deployments.
Network Intrusion Detection Systems (NIDS) can be configured to detect malicious HTTP requests containing directory traversal sequences (e.g., ../).
Web Application Firewalls (WAFs) can be used to block requests containing directory traversal attempts.
Review web server access logs for suspicious requests to users.php with unusual language parameter values.
Monitor file access logs for unexpected access to sensitive files (e.g., /etc/passwd, configuration files).
Implement file integrity monitoring to detect changes to critical system files.
Upgrade to a patched version of The Address Book, if available. Given the age of the software, this may not be possible.
Implement robust input validation to sanitize the language parameter. This should include checking for and removing directory traversal sequences (../).
Restrict file inclusion operations to a whitelist of allowed files and directories.
Disable file inclusion functionality if not required.
Apply the principle of least privilege, ensuring the web server process has minimal permissions.
Implement a Web Application Firewall (WAF) to filter malicious requests.
Regularly scan the system for vulnerabilities and apply security patches promptly.
If the software is no longer supported, consider removing it from the system or isolating it in a secure environment.