S40 CMS Path Traversal Vulnerability

A path traversal vulnerability has been identified in S40 CMS version 0.4.2. The issue arises in the index.php page handler, where the 'p' parameter is not properly sanitized. This lack of validation allows attackers to traverse the file system and access arbitrary files outside the web root. The vulnerability can be exploited remotely without authentication by appending traversal sequences and a null byte to bypass file extension checks.

Impact

Exploitation of this vulnerability leads to local file inclusion, allowing attackers to read sensitive files on the server, such as the password file.

Reproduction

To reproduce this vulnerability, send a GET request to the index.php page with the 'p' parameter set to a file path that includes traversal sequences. Append a null byte to the end of the file path to bypass file extension checks. The server response will indicate whether the file was successfully retrieved or if there was a permission issue or a 404 error.