Security problem in XMLFiles.php

Question

Security problem in XMLFiles.php

andrespagella opened this issue 11 years ago · 1 comments

Keep in mind that you can use XMLFiles.php to access folders from outside the DocumentRoot, or do things such as:

view-source:http://isometric.beakable.com/com/xml/XMLFiles.php?folder=../../../var/www/cgi-bin
view-source:http://isometric.beakable.com/com/xml/XMLFiles.php?folder=../../../var/www
view-source:http://isometric.beakable.com/com/xml/XMLFiles.php?folder=../../../etc

Answer 1 · 2013-10-14T23:17:30.000Z

I just added a quick check to ensure people can't go beyond the document root. We are going to phase out the xml system shortly and switch to JSON as this was and aspect we initially carried over from the old isometric system.
When we do we will also look at the whole file listing approach and possibly find a better alternative.