Torrential 1.2 Directory Traversal

Type securityvulns
Reporter Securityvulns
Modified 2005-12-11T00:00:00


I was poking around my own server because I had an installation of torrential and found this vuln. The problem lies in getdox.php. It works by taking an argument after a "/". This specifies a file. The DOX folder that it grabs the files from is located int /dox such that / is the directory that the main index is in. Now, you can give it the parameter of /(any file) and it will fetch that file.

EXAMPLES: (goes to the forums page) (goes to in this case)

The vulnerability lies in the fact that getdox.php directly reads the file with fopen/fread.