2 Replies Latest reply on Nov 12, 2015 10:57 AM by TSGal

    Potential Local File Inclusion

    JoshuaGimer

      Summary

      Potential Local File Inclusion

      Product

      FileMaker Pro

      Version

      14.0.2.226

      Description of the issue

      The PHP test page below does not properly validate the GET request parameter "lang" before backend processing. The application takes this value and creates a string which is then passed to fopen(). Under certain circumstances it may be possible to escape out of this string and access local files on the filesystem.

      /fmi-test/phptest.php?lang=en&server=localhost

      Steps to reproduce the problem

      /fmi-test/phptest.php?lang=en%20&server=localhost

      Expected result

      All user supplied inputs should be checked against an enumerated list of values before being passed to fopen().

      Actual result

      Local file inclusion under certain conditions. Need to insert a null byte to remove the extension; will only work on certain systems.

      Exact text of any error message(s) that appear

      HTTP/1.1 500 Internal Server Error
      Server: Microsoft-IIS/8.0
      Date: Wed, 29 Jul 2015 13:21:44 GMT
      Content-Length: 214

      PHP Warning:  fopen(localizations/strings_en%20.xml): failed to open stream: Invalid argument in C:\Program Files\FileMaker\FileMaker Server\Web Publishing\web-server-support\test\fmi-test\phptest.php on line 19

      Workaround

      Input validation. Member of enum.