DHTMLX File Explorer Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in DHTMLX File Explorer version 8.4.6. This vulnerability allows remote attackers to access sensitive information by exploiting the file download functionality. The issue arises from improper handling of file paths, which can be manipulated to traverse directories and access restricted files, such as the passwd file on Unix-based systems.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, potentially exposing critical information or system credentials.

Reproduction

To reproduce this vulnerability, send a GET request to the file download endpoint of the DHTMLX File Explorer application. Include a crafted file path that traverses directories (using '../' sequences) to access sensitive files outside the application's root directory. The request should be made with a user agent that mimics a standard web browser.