search

habiboedris / webgrind

Automatically exported from code.google.com/p/webgrind
0 stars 0 forks source link

File path injection vulnerability #62

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
The file GET argument in index.php?op=fileviewer can be used to view any file 
on the server (provided the user the web server is running as has appropriate 
permissions).

For example: 
"http://www.example.com/webgrind/index.php?op=fileviewer&file=/etc/passwd" will 
display the contents of /etc/password.

I'm thinking that maybe there should be a setting that defines your "codebase 
directory" and not allow the reading of any other files outside of that 
directory.

Original issue reported on code.google.com by binarycl...@gmail.com on 3 Nov 2010 at 8:45

GoogleCodeExporter commented 8 years ago 
Don't put webgrind on public production servers. It is intended only for 
development environments

Original comment by gugakf...@gmail.com on 4 Nov 2010 at 11:50