Security problem in XMLFiles.php
andrespagella opened this issue · 1 comments
Keep in mind that you can use XMLFiles.php to access folders from outside the DocumentRoot, or do things such as:
view-source:http://isometric.beakable.com/com/xml/XMLFiles.php?folder=../../../var/www/cgi-bin
view-source:http://isometric.beakable.com/com/xml/XMLFiles.php?folder=../../../var/www
view-source:http://isometric.beakable.com/com/xml/XMLFiles.php?folder=../../../etc
I just added a quick check to ensure people can't go beyond the document root. We are going to phase out the xml system shortly and switch to JSON as this was and aspect we initially carried over from the old isometric system.
When we do we will also look at the whole file listing approach and possibly find a better alternative.