CVE-2020-10387
Description
Path Traversal in admin/download.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to download files from the server using a dot-dot-slash sequence (../) via the GET parameter file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal in admin/download.php of PHPKB Standard Multi-Language 9 allows authenticated remote attackers to download arbitrary files.
Vulnerability
The admin/download.php script in Chadha PHPKB Standard Multi-Language version 9 is vulnerable to path traversal. The file GET parameter is not properly sanitized, allowing an attacker to include directory traversal sequences (../) to read arbitrary files on the server [2].
Exploitation
An attacker must first authenticate as a superuser. After logging in, they can craft a request to admin/download.php with a file parameter such as ../../etc/passwd to download files outside the intended directory. The exploit code in [2] demonstrates this sequence: login, then a GET request with the traversal payload.
Impact
Successful exploitation allows an authenticated attacker to download any file from the server, potentially disclosing sensitive information like configuration files, credentials, or application source code. This can lead to further compromise of the system.
Mitigation
No official patch has been released as of the publication date. Administrators should restrict access to the admin/download.php script, implement input validation to reject path traversal patterns, and consider upgrading to a patched version when available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Chadha PHPKB/Chadha PHPKB Standard Multi-Languagedescription
- Range: 9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in the `file` GET parameter of `/admin/download.php` allows directory traversal via `../` sequences."
Attack vector
An authenticated attacker (superuser credentials required) sends a crafted GET request to `/admin/download.php` with parameters `called=ajax`, `act=backup-lang`, and a `file` parameter containing `../` sequences to traverse out of the intended directory. The PoC constructs the URL as `{base}/admin/download.php?called=ajax&act=backup-lang&file=../../{target_file}` [ref_id=1]. The server then reads and returns the contents of the attacker-specified file from the filesystem.
Affected code
The vulnerability resides in `/admin/download.php` of Chadha PHPKB Standard Multi-Language 9. The `file` GET parameter is used directly in a file download operation without sanitizing dot-dot-slash (`../`) sequences, allowing an attacker to traverse directories.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not describe a vendor-supplied fix. To remediate, the application should validate or sanitize the `file` parameter in `/admin/download.php` to reject path traversal sequences (e.g., `../`) and restrict file access to an allowed directory.
Preconditions
- authAttacker must have valid superuser credentials to authenticate to /admin/login.php
- networkAttacker must have network access to the PHPKB application
- inputThe file parameter in the GET request must contain ../ sequences
Reproduction
1. Authenticate to the PHPKB admin panel by sending a POST request to `/admin/login.php` with `phpkb_username`, `phpkb_password`, and `login=LOGIN` parameters. 2. Send a GET request to `/admin/download.php?called=ajax&act=backup-lang&file=../../{target_file}` (where `{target_file}` is the path to the file you wish to download, relative to the PHPKB base path). 3. The server will return the contents of the specified file [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- antoniocannito.itmitrex_refsource_MISC
- packetstormsecurity.com/files/156754/PHPKB-Multi-Language-9-Authenticated-Directory-Traversal.htmlmitrex_refsource_MISC
- antoniocannito.it/phpkb1mitrex_refsource_MISC
- www.exploit-db.com/exploits/48220mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.