CVE-2022-34026: directory traversal in ICEcoder

//line 62 if (true === isset($_POST[‘username’]) && “” !== $_POST[‘username’]) {$username = $_POST[‘username’] . "-";}; $settingsFile = 'config-' . $username . str_replace(".", "_", str_replace("www.", "", $_SERVER[‘SERVER_NAME’])) . '.php’; // line 110 $ICEcoderUserSettings = $settingsClass->getConfigUsersSettings($settingsFile);

//line 160 // Note: the source is in the $filename public function getConfigUsersSettings($fileName) { // Get users config file details $fullPath = $this->getConfigUsersFileDetails($fileName)[‘fullPath’]; // $fullPath is a source $settingsFromFile = $this->serializedFileData("get", $fullPath); // attacker control the loaded file in this function // Now return return $settingsFromFile; }

//line 142 // Note: the source is in the $filename public function getConfigUsersFileDetails($fileName) { // Return details about the users config file $fullPath = dirname(__FILE__) . “/…/data/” . $fileName; $exists = file_exists($fullPath); $readable = is_readable($fullPath); $writable = is_writable($fullPath); $filemtime = filemtime($fullPath); return [ “fileName” => $fileName, “fullPath” => $fullPath, “exists” => $exists, “readable” => $readable, “writable” => $writable, “filemtime” => $filemtime, ]; }

// line 226 public function serializedFileData($do, $fullPath, $output=null) { if (“get” === $do) { if (function_exists(‘opcache_invalidate’)) { opcache_invalidate($fullPath, true); } $data = file_get_contents($fullPath); // Note: $fullPath is controlled by the user $data = str_replace("<"."?php\n/*\n\n", "", $data); $data = str_replace("\n\n*/\n?".">", "", $data); $data = unserialize($data); return $data; } if (“set” === $do) { if (true === is_array($output)) { $output = serialize($output); } return false !== file_put_contents($fullPath, “<"."?php\n/*\n\n” . $output . “\n\n*/\n?” . “>”); } }

CVE-2022-34026 is assigned to this report.