YouPHPTube Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in YouPHPTube versions through 7.8. This vulnerability allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. The issue arises from a path traversal flaw in the 'locale/function.php' file, where attackers can use directory traversal sequences to include and view PHP files outside the intended directory.

Impact

Exploitation of this vulnerability allows for local file inclusion, where an attacker can include files from the server's file system. This could potentially lead to the execution of included PHP files, depending on the file's content and the server's configuration.

Reproduction

To reproduce this vulnerability, send a GET request to the YouPHPTube application with the 'lang' parameter set to a directory traversal sequence that points to a PHP file on the server, such as 'phpinfo.php'. The application will include the specified file, allowing the attacker to view its contents in the browser.