Pritlog <= 0.4 filename Remote File Disclosure Vulnerability

ID EDB-ID:6639
Type exploitdb
Reporter Pepelux
Modified 2008-09-30T00:00:00


Pritlog <= 0.4 (filename) Remote File Disclosure Vulnerability. CVE-2008-6012. Webapps exploit for php platform

Printlog &lt;= 0.4: Remote File Edition Vulnerability

$ Program: Printlog
$ File affected: index.php
$ Version: 0.4
$ Download:

Found by Pepelux &lt;pepelux[at];
eNYe-Sec -

-- Description (by the author's page) --
PRITLOG is an extremely simple, small and powerful blog system. It does not 
use or need a MYSQL database and fully works based on flat files. The idea 
is derived from a similar app called PPLOG.

-- Bug --
You can navigate and see the entries. Something like as:

Code doesn't check the comments directory:

709.  function viewEntry() {
710.	$fileName   = isset($_POST['filename'])?$_POST['filename']:$_GET['filename'];
711.	global $postdir, $separator, $newPostFile, $newFullPostNumber, $debugMode, $config_textAreaCols, $config_textAreaRows;
712.	global $config_allowComments, $config_commentsSecurityCode, $config_CAPTCHALength, $config_randomString;
713.	global $commentdir,$config_dbFilesExtension, $config_onlyNumbersOnCAPTCHA;
714.	$viewFileName=$postdir.$fileName.$config_dbFilesExtension;

-- Exploit --
If magic quotes are off you can do:

config.php has the admin password

# [2008-09-30]