search

Iv4nS / mraid-web-tester

Automatically exported from code.google.com/p/mraid-web-tester
0 stars 0 forks source link

imageDownload.php is a security risk #20

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
This file can allow users to download any file from the php server it's running 
on.

1. Go to [path to the file on your 
server]/imageDownload.php?imageUrl=/etc/hosts (or some other system file)
2. Open the downloaded file in a text editor
3. Look at the contents of the file you've been able to obtain from outside of 
webroot.

I'm not sure what to expect from this file, as it looks like it's trying to 
download a file from the host rather than from the ad.

Original issue reported on code.google.com by sean.mer...@tubemogul.com on 17 Dec 2013 at 10:38

GoogleCodeExporter commented 9 years ago 
Sean,

Thanks for your note. Right now the main site is hosted on a CDN so there is no 
PHP backend unless you install this locally.

That said, we want to move to a new host with PHP. Can you recommend the patch?

Thanks,
-Nathan

Original comment by nathan.c...@crispmedia.com on 27 Mar 2014 at 7:42

GoogleCodeExporter commented 9 years ago 
This issue has been transferred to the GitHub code project, 
https://github.com/mraid/webtester.

Original comment by nathan.c...@crispmedia.com on 1 Jul 2014 at 8:20