Skip to main content



onArcade 2.4.x Local File Get Contents Vulnerability

onArcade is a nice PHP CMS Software that handle videos and online games content,
there is no enough filtering for template file handler,
which leads to file_get_contents() vulnerability.

[2] Vulnerable Versions

onArcade 2.4.2
onArcade 2.4.1
onArcade 2.4.0

[3] Bug Track

Because of the special treatment for .php extension, we wont be able to read the files with php extension
But , you may use Null-Byte to bypass this problem and "drop" the extension in file path when PHP <= 5.3.4.

[4] POC Video

[5] Links

Latest Posts