directory traversal and file read

[dmorton]

Adriel T. Desautels from http://www.netragard.com reports that the "lang" variable is not verified and can be used to display system files. More details can be found in their advisory.

In addition to "lang", I also found "prevlang" and "super" that needed to have some verification done.

I was not able to replicate the attack on any Linux system, but the examples given to me appear to be FreeBSD. I suspect the real security flaw is in a php/filesystem issue on particular operating systems. It seems some systems handle "%00" as a null terminated string, and truncate the requested filename - returning a file other than what Maia requested.