ImpressCMS imFAQ Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the imFAQ module for ImpressCMS, specifically in version 1.0.0 prior to 1.0.1. The issue arises because the 'seoOp' and 'seoArg' parameters are used directly from the URL without proper sanitization or validation. This vulnerability allows attackers to manipulate the 'seoOp' parameter to include malicious input, such as file paths, which can then be used to read sensitive files on the server. Although this risk is somewhat mitigated by the fact that important ImpressCMS files are stored outside the web root in a randomly named folder, the vulnerability still poses a significant threat.

Impact

Exploitation of this vulnerability allows for local file inclusion, enabling attackers to read sensitive files on the server.

Reproduction

To reproduce this vulnerability, send a request to the application with the 'seoOp' parameter set to a crafted input that includes a file path to a sensitive file, such as the configuration file. The application will include the specified file, allowing the attacker to read its contents.

Remediation

The vulnerability has been patched in imFAQ version 1.0.1. Users are advised to update to this version. Alternatively, the 'SEO' functionality can be disabled in the module's settings.