2 Replies Latest reply on Nov 12, 2015 10:57 AM by TSGal

    Potential Local File Inclusion



      Potential Local File Inclusion


      FileMaker Pro


      Description of the issue

      The PHP test page below does not properly validate the GET request parameter "lang" before backend processing. The application takes this value and creates a string which is then passed to fopen(). Under certain circumstances it may be possible to escape out of this string and access local files on the filesystem.


      Steps to reproduce the problem


      Expected result

      All user supplied inputs should be checked against an enumerated list of values before being passed to fopen().

      Actual result

      Local file inclusion under certain conditions. Need to insert a null byte to remove the extension; will only work on certain systems.

      Exact text of any error message(s) that appear

      HTTP/1.1 500 Internal Server Error
      Server: Microsoft-IIS/8.0
      Date: Wed, 29 Jul 2015 13:21:44 GMT
      Content-Length: 214

      PHP Warning:  fopen(localizations/strings_en%20.xml): failed to open stream: Invalid argument in C:\Program Files\FileMaker\FileMaker Server\Web Publishing\web-server-support\test\fmi-test\phptest.php on line 19


      Input validation. Member of enum.