AnsweredAssumed Answered

Potential Local File Inclusion

Question asked by JoshuaGimer on Jul 29, 2015
Latest reply on Nov 12, 2015 by TSGal


Potential Local File Inclusion


FileMaker Pro


Description of the issue

The PHP test page below does not properly validate the GET request parameter "lang" before backend processing. The application takes this value and creates a string which is then passed to fopen(). Under certain circumstances it may be possible to escape out of this string and access local files on the filesystem.


Steps to reproduce the problem


Expected result

All user supplied inputs should be checked against an enumerated list of values before being passed to fopen().

Actual result

Local file inclusion under certain conditions. Need to insert a null byte to remove the extension; will only work on certain systems.

Exact text of any error message(s) that appear

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/8.0
Date: Wed, 29 Jul 2015 13:21:44 GMT
Content-Length: 214

PHP Warning:  fopen(localizations/strings_en%20.xml): failed to open stream: Invalid argument in C:\Program Files\FileMaker\FileMaker Server\Web Publishing\web-server-support\test\fmi-test\phptest.php on line 19


Input validation. Member of enum.