Zubrag Smart File Download 1.3 File Download

2009-04-29T00:00:00
ID PACKETSTORM:77114
Type packetstorm
Reporter Aodrulez
Modified 2009-04-29T00:00:00

Description

                                        
                                            `---------------------------------------------------  
"File Download 1.3" Remote File Download Exploit.  
---------------------------------------------------  
By :Aodrulez.   
Email :f3arm3d3ar@gmail.com  
Blog :aodrulez.blogspot.com.  
---------------------------------------------------  
  
Script Name:File Download 1.3  
Vendor :http://www.zubrag.com/scripts/   
  
Description:  
  
This particular php script,named as "download.php"  
can be tricked into allowing a remote attacker to  
download all kinds of files such as .php,.txt etc   
etc.This can be achieved by adding a null byte   
followed by an allowed extension..for eg:  
  
http://www.site.com/download.php?f=/path/file.php%00.jpg  
  
-----------------------------------------------------  
Greetz Fly Out to:  
1] Amforked() : My Mentor.  
2] The Blue Genius : My Boss.  
3] www.OrchidSeven.com.  
  
"If you think C++ is not overly complicated, just what is   
a protected abstract virtual base pure virtual private   
destructor, and when was the last time you needed one?"  
-- Tom Cargil.  
  
  
`