Author: Jason Whelan
PacketStorm: exploitdev
Email: exploitdevj@gmail.com

Target Software: Monsta FTP v1.3
Vendor URL: http://www.monstaftp.com
Vendor Contacted:  09/09/2013
Vendor Reponse:    10/09/2013
Hotfix Release:       11/09/2013

Local File Inclusion
This script does not properly sanitize user input before including the
language settings file in index.php.

An attacker can exploit this vulnerability by sending a malicious "lang"
$_POST string. Versions <=1.3 prior to hotfix are affected.

Vulnerable Code
Line 90:
if ($_SESSION["lang"] == "" || isset($_POST["lang"]))

    setLangFile();



include("languages/".$_SESSION["lang"]);

Line  3771:
function setLangFile() {



    // The order of these determines the proper display

    if ($_COOKIE["lang"] != "")

        $lang = $_COOKIE["lang"];

    if ($_SESSION["lang"] != "")

        $lang = $_SESSION["lang"];

    if (isset($_POST["lang"]))

        $lang = $_POST["lang"];



    if ($lang == "") {



        $dir = "languages";



        if (is_dir($dir)) {

            if ($dh = opendir($dir)) {

                while (($file = readdir($dh)) !== false) {

                    if ($file != "." && $file != "..") {



                        include("languages/".$file);



                        if ($file_lang_default == 1)

                            $lang = $file;

                    }

                }

                closedir($dh);

            }

        }

    }



    // Sanitize file path

    $lang = santizePath($lang);



    $_SESSION["lang"] = $lang;

}