Emlog Local File Inclusion Vulnerability in Plugin Management

A Local File Inclusion (LFI) vulnerability has been identified in Emlog versions prior to 2.6.2. The issue resides in the admin/plugin.php file, specifically at line 80, where the $plugin parameter from the GET request is used in a require_once statement without adequate sanitization. This vulnerability allows authenticated admin users to include arbitrary PHP files from the server's filesystem, potentially leading to code execution. The vulnerability could be exploited by bypassing the CSRF token check, as the token validation occurs after the file inclusion.

Impact

Exploitation of this vulnerability allows authenticated admin users to include arbitrary files from the filesystem, with a high potential for remote code execution if a PHP file can be uploaded and then included. Additionally, non-PHP files could be included, leading to information disclosure.

Reproduction

To reproduce this vulnerability, authenticate as an admin user and send a GET request to admin/plugin.php with a crafted plugin parameter that includes path traversal sequences. If the null byte is not stripped, this will trigger the file inclusion. Alternatively, the plugin parameter can be set to include non-PHP files, such as configuration files, which could also be exploited for information disclosure.

Remediation

It is recommended to validate the $plugin parameter against a whitelist of installed plugins before including any files. This can be done by checking if the plugin exists in the whitelist and then constructing the file path to the plugin's settings file in a secure manner.