Carbon PHP Library Arbitrary File Inclusion Vulnerability in setLocale Method

A vulnerability allowing arbitrary file inclusion has been identified in the Carbon PHP library, specifically in versions 3.0.0 prior to 3.8.4 and 2.72.6 prior to 2.72.6. This issue arises when applications pass unsanitized user input to the Carbon::setLocale method. If the application permits users to upload files with a .php extension to a directory that allows those files to be included or required, there is a risk of arbitrary code execution on the server.

Impact

Exploitation of this vulnerability could lead to arbitrary file inclusion, allowing an attacker to include files from the server's file system. If the included file is a PHP file, this could result in arbitrary code execution on the server.

Reproduction

To reproduce this vulnerability, upload a PHP file to a directory that allows file inclusion. Ensure that the file can be accessed via a locale that is passed to the Carbon::setLocale method without proper sanitization. The uploaded PHP file will be executed, leading to arbitrary code execution on the server.

Remediation

Users can upgrade to Carbon versions 3.8.4 or 2.72.6 to address this vulnerability. For applications using Carbon, it is also recommended to validate and sanitize user input before passing it to the setLocale method. Additionally, consider using a storage system that is not local to the application, such as a remote service or a local service run by another user, to handle uploaded files.