naive · 2007-05-29 15:34
Just found the following in one of our publicly facing web applications:
<?php
$contentType = $_GET['contentType'];
$fileName = $_GET['fileName'];
$sourceLocation = $_GET['sourceLocation'];
header('Content-type: '.$contentType);
header('Content-Disposition: attachment; filename='.$fileName);
readfile($sourceLocation);
?>
Basically, this code is asking the user what file off the server they would like! It's a massive security hole, a hacker could get basically any information they please and use it to break in!
This is a government department, things could blow up if you know what I mean...
I'd really like to name and shame the irresponsible company that put amateur coders in the drivers seat for such an important thing...
Update 2007-05-30: The company responsible was us. Suprise!
Commenting is closed for this article.