File path injection vulnerability

Question

File path injection vulnerability

GoogleCodeExporter opened this issue 9 years ago · comments

Google Code Exporter commented 9 years ago

The file GET argument in index.php?op=fileviewer can be used to view any file 
on the server (provided the user the web server is running as has appropriate 
permissions).

For example: 
"http://www.example.com/webgrind/index.php?op=fileviewer&file=/etc/passwd" will 
display the contents of /etc/password.

I'm thinking that maybe there should be a setting that defines your "codebase 
directory" and not allow the reading of any other files outside of that 
directory.

Original issue reported on code.google.com by binarycl...@gmail.com on 3 Nov 2010 at 8:45

Merged into: #59

Google Code Exporter · Answer 1 · Thu Sep 10 2015 16:54:36 GMT+0800 (China Standard Time)

Don't put webgrind on public production servers. It is intended only for 
development environments

Original comment by gugakf...@gmail.com on 4 Nov 2010 at 11:50

Changed state: Duplicate