Local File Disclosure using fileviewer functionality
Closed this issue · 2 comments
Line 129 in index.php lets anyone view all the local files the web-server has access to.
case 'fileviewer':
$file = get('file');
Example exploit
example.com/webgrind/index.php?op=fileviewer&file=/etc/passwd
Can we avoid relying on user input to get 'file'?
This is not the purpose of this project, it should only be run locally in the test environment only, NEVER in a publicly accessible environment.
That is why no measures are necessary to prevent this kind of situation
Correct, this is intended behaviour. Additionally, your production environment should not even have xdebug installed.
(Of note, you will only be able to view files the server can read. /etc/passwd is not that problematic, as the password hashes are actually in /etc/shadow. If apache can read that, you have other problems. Still, someone could access /path/to/site/db-config.php for some handy plain text passwords.)