Directory traversal vulnerability in index.php in XZero Community Classifieds 4.95.11 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pagename parameter in a page view action.
XZero Community Classifieds 4.95.11 and earlier are vulnerable to a critical directory traversal attack. This allows attackers to remotely execute arbitrary code by including local files, potentially leading to complete system compromise and data breaches. This vulnerability is easily exploitable and poses a significant risk to affected systems.
Step 1: Craft the Malicious URL: The attacker constructs a URL targeting index.php with a crafted pagename parameter. This parameter includes directory traversal sequences (../) to navigate outside the intended directory.
Step 2: Directory Traversal: The crafted pagename parameter, containing ../, is passed to the vulnerable index.php script. The script, due to the lack of proper input validation, does not filter or sanitize the ../ sequences.
Step 3: File Inclusion: The script attempts to include the file specified by the manipulated pagename parameter. Because of the directory traversal, the script can now access files outside of its intended scope.
Step 4: Arbitrary Code Execution: The attacker can include a local file containing malicious PHP code. When the script includes this file, the malicious code is executed on the server, allowing the attacker to gain control of the system.
The vulnerability stems from insufficient input validation in the index.php file's handling of the pagename parameter. The application fails to properly sanitize user-supplied input, allowing attackers to inject ../ sequences to traverse the directory structure. This bypasses security checks and allows the attacker to specify the path to a local file, such as a configuration file or a PHP script. The application then includes and executes this file, enabling the attacker to execute arbitrary code on the server. The root cause is a lack of proper input validation and path sanitization leading to a directory traversal vulnerability.