php script, traversal directory problem for file disclosure

["bermejator.com Messenger" <msn () bermejator com>]

Hi all, i have been working some days in this vulnerable script to file
disclosure whith obfuscation technique in php.

http://www.clearskies.net/documents/css-advisory-css09001-sspdirector.pdf

Vulnerable script sample:
http://pastebin.com/wWTc7ap7

Script take a get parameter "a" which is vulnerable to full disclosure but
it have an obfuscation issue:

Post data i introduce is like this:

../test,avatar-7,1440,866,2,100,5,50,50

So, after obfuscation i get my postdata like:

http://localhost/p.php?a=º\Ozw9dXZ5fz9lfGp2cnYsPC47IjM5JzI0MSo7LTMiNzknPjQjJj4j

If i execute debug i get:

VAL: º\Ozw9dXZ5fz9lfGp2cnYsPC47IjM5JzI0MSo7LTMiNzknPjQjJj4j
CRYPT: ../test,avatar-7,1440,866,2,100,5,50,50

A0: ../test
FILE: test

ORIGINAL:/var/www/script/albums/avatars/7/test
PATH:/var/www/script/albums/avatars/7/test

It's not possible for me do correct traversal path....

I tried other encoding, but no success

$valor = convert("..%2Ftest,avatar-7,1440,866,2,100,5,50,50");
$valor = convert("%25%25%2Ftest,avatar-7,1440,866,2,100,5,50,50");
$valor = convert(".\"./\"test,avatar-7,1440,866,2,100,5,50,50");
...

I think, i can't break:
     $file = $fn = basename($a[0]);

Anybody can help me?
Thank you
Rubén




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------