The exploit demonstrates a Local File Inclusion (LFI) vulnerability in AnimaGallery 2.6 via unchecked cookie parameters 'theme' and 'lang'. The PoC uses curl commands to inject path traversal sequences to read arbitrary files (e.g., /etc/passwd).
Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target:AnimaGallery 2.6
No auth needed
Prerequisites:PHP with magic_quotes_gpc disabled · Cookie parameters not locked (THEME_LOCKED/LANG_LOCKED disabled)