Bcoos highlight.php traversal file access

####################################
Bcoos =< 1.0.13 highlight.php traversal file access
Vendor URL: http://www.bcoos.net
Advisore:http://lostmon.blogspot.com/2008/05/
bcoos-highlightphp-traversal-file.html
Vendor notify:yes Exploit available:yes
####################################


bcoos is content-community management system written in PHP-MySQL

Directory traversal vulnerability in bcoos 1.0.13 and earlier
allows remote attackers to read arbitrary files via a ../
(dot dot) in the CD command or if the attacker know the full path.

Only Can read Files with extension, if the file don´t have extension
bcoos redirect to index.

##############
Versions
##############

bcoos 1.0.13
bcoos 1.0.12
bcoos 1.0.11
bcoos 1.0.10
bcoos 1.0.9

##############
Solution
##############

No solutions was available at this time !!!

Vendor Bugtrack : http://www.bcoos.net/modules/
devtracker/view_issue.php?issue_id=2467

##############
TimeLine
##############

Discovered:02-03-2008
vendor notify:18-05-2008
vendor response:
vendor fix:
Disclosure:18-05-2008

################
Proof of Concept
################

http://localhost/bcoos/class/debug/
highlight.php?file=C:\boot.ini

http://localhost/bcoos/class/debug/
highlight.php?file=../../../../../boot.ini

For exploit this issue the attacker need webmaster privileges.
But if a system has multiple webmasters.. all can read files
outside webserver root directory.

The file what we want to access need a extension if the file no
have extensionvwe can´t read it, and bcoos redirects to index.

################€nd##################

--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....