Local file inclusion in index.php

Odonel / globalban-spanish

Automatically exported from code.google.com/p/globalban-spanish

0 stars 0 forks source link

Local file inclusion in index.php #19

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

index.php
$page = $_GET['page']; // UNFILTERED!

Include a PHP file on the server:
index.php?page=../somephpfile

Read /etc/passwd:
index.php?page=../../../../../../../../etc/passwd[POISON NULL BYTE]

Fix:
$page = basename(str_replace(chr(0), "", $_GET['page']));

Original issue reported on code.google.com by accz....@gmail.com on 10 Oct 2010 at 3:18

GoogleCodeExporter commented 9 years ago

Original comment by apadro...@gmail.com on 15 Oct 2010 at 7:02

Changed state: Fixed
Added labels: Priority-High
Removed labels: Priority-Medium