The vulnerability allows an authenticated user to change the language setting by passing a valid file path, the code will include the file and in some environments will execute malicious code.
The vulnerability occurs because the function TRANS not validate and not sanitize user data entry.
Through Log Poisoining it was possible to obtain RCE in the application
- Do log poisoning by inserting malicious code in PHP;
- Logs:
- When changing the user's language, intercept the request and in the "lang" parameter add using path traversal the directory of the log that was poisoned;
- After saving the settings, when the user opens the application, the Log file will be imported and the malicious php code will be executed;