imageDownload.php is a security risk

[ncarver]

Reported by sean.merrigan [at] tubemogul.com, Dec 17, 2013 This file can allow users to download any file from the php server it's running on.

1. Go to [path to the file on your server]/imageDownload.php?imageUrl=/etc/hosts (or some other system file)
2. Open the downloaded file in a text editor
3. Look at the contents of the file you've been able to obtain from outside of webroot.

I'm not sure what to expect from this file, as it looks like it's trying to download a file from the host rather than from the ad.

[dpyryesk]

I believe this can be solved by using an appropriate PHP configuration on the server. Documentation: http://php.net/manual/en/ini.core.php#ini.open-basedir