File path injection vulnerability
GoogleCodeExporter opened this issue · comments
The file GET argument in index.php?op=fileviewer can be used to view any file
on the server (provided the user the web server is running as has appropriate
permissions).
For example:
"http://www.example.com/webgrind/index.php?op=fileviewer&file=/etc/passwd" will
display the contents of /etc/password.
I'm thinking that maybe there should be a setting that defines your "codebase
directory" and not allow the reading of any other files outside of that
directory.
Original issue reported on code.google.com by binarycl...@gmail.com
on 3 Nov 2010 at 8:45
- Merged into: #59
Don't put webgrind on public production servers. It is intended only for
development environments
Original comment by gugakf...@gmail.com
on 4 Nov 2010 at 11:50
- Changed state: Duplicate