Security: file inclusion issue

[Shinkurt]

Hey,

zpanelx/modules/dns_admin/code/getbindlog.php says:

11: $bindlog = str_replace('..', '__', $_POST['inBindLog']); 
16: $handle = fopen($bindlog, "r"); 
20: fgets $buffer = fgets($handle, 4096); 

And the only mitigation to stop file inclusion is in line 5 which does to stop referencing files with path transverse like ../../file.etc
$bindlog = str_replace('..', '__', $_GET['inBindLog']);
However, this is insufficient fix because one can send payloads like .%00./.%00./file.etc as PHP before 5.3.6 truncates nullbytes and treats them as empty values letting us sneak ../../file.etc.

Fix should include null bytes or a more thought implementation.

Thanks,

[h3ct0rjs]

you can try sentora.org, is a fork o zpanel. Actually I don't know if this is a persistent bug in the fork. Could you please take a look.

Thanks,
H

[VedranIteh]

it is, and you can do even simpler attack, specify the full path instead ... eg /etc/passwd

[koshermeat]

Yes, I just looked and this seems consistent with the actual zpanel code, any authenticated user can use this bug to read any file or achieve RCE by either reading sensetive config files or system files.