file inclusion error

[cmq104]

Questions here may or may not be answered depending on the state of the question, to increase your chance, read this before asking Asking For Technical Help.

Basically, the more details you give, the more chance of getting an answer. We need at least:

• Where did you get DVWA from?

• github

• What OS are you installing it on?

• Ubuntu 18.04.6 LTS

• Last five lines from the web server access and error log from the time the error occurred if you got that far. [-] Tested URL: http://localhost/DVWA/vulnerabilities/fi/?page=../../../../../../../etc/passwd (Not Vulnerable)
  Notice: Array to string conversion in /var/www/html/DVWA/dvwa/includes/dvwaPage.inc.php on line 77
  

• The error you got when you got stuck.

• 

I write a python script to detect path travelsal vulnerabilities ,and it report Array to string conversion error.

my setup is in following picture

• Any previous errors.
• no.
• What you have tried to do yourself to fix the problem. at first i use dotdotslash(another github project which can detect path travelsal), and it report Array to string conversion error. Then i try to put payload in url, and it works. then i wrote a python script using chatgpt, trying to found if its dotdotslash's problem， but it shows the same error,

Support will only be given for users running the latest pull of code from GitHub. Not a tagged release, not a pre-installed app, not a ZIP you got from a mate.

[digininja]

It looks like you aren't running the latest version of DVWA

This is line 77 along with context and that line is not going to throw the error you are seeing.

 70 
 71     session_set_cookie_params([
 72         'lifetime' => $maxlifetime,
 73         'path' => '/',
 74         'domain' => $domain,
 75         'secure' => $secure,
 76         'httponly' => $httponly,
 77         'samesite' => $samesite
 78     ]);
 79 
 80     session_start();
 81 

Get the latest version of the app from this repo and try again.

[cmq104]

I tried two ways to download latest version , one for downloading code zip , one for git clone , the following picture shows how i git clone and then i copy it into apache2 and restart apache2 but it shows the same error the following picture shows /var/www/html/DVWA/dvwa/includes/dvwaPage.inc.php

btw, i don't understand why it can report this error either :( it seems there is no array to string in line 77

[digininja]

Let's just check that you are looking at the right file. Edit /var/www/html/DVWA/dvwa/includes/dvwaPage.inc.php and insert three lines of empty comments at the top of the file. If the report is coming from this file, then the error should move to line 80, if it stays at 77 then something else is going wrong.

[cmq104]

i insert four blank at the top and it shows in line 81 now

[digininja]

Got it, I think you might be running a version of PHP earlier than 7.3, can you check.

The definition of session_set_cookie_params changed from taking individual parameters to being able to take an array with named parameters from 7.3:

https://www.php.net/session_set_cookie_params

Version 7.2 reached end of life in 2020 so I'll count this as an unsupported version and ask you to upgrade to a newer version of php.

[cmq104]

I see. My linux is ubuntu18.04 and apt-get only supply php7.2 i'll upgrade my system to 20.04 and try again anyway ,thank you very much for your answering

[digininja]

Problem solved.