Potential Local File Inclusion (1 Comment)

Issue report by Joshua Gimer

Product

FileMaker Pro

Version

14.0.2.226

Description of the issue

The PHP test page below does not properly validate the GET request parameter "lang" before backend processing. The application takes this value and creates a string which is then passed to fopen(). Under certain circumstances it may be possible to escape out of this string and access local files on the filesystem.

/fmi-test/phptest.php?lang=en&server=localhost

Steps to reproduce the problem

/fmi-test/phptest.php?lang=en%20&server=localhost

Expected result

All user supplied inputs should be checked against an enumerated list of values before being passed to fopen().

Actual result

Local file inclusion under certain conditions. Need to insert a null byte to remove the extension; will only work on certain systems.

Exact text of any error message(s) that appear

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/8.0
Date: Wed, 29 Jul 2015 13:21:44 GMT
Content-Length: 214

PHP Warning: fopen(localizations/strings_en%20.xml): failed to open stream: Invalid argument in C:\Program Files\FileMaker\FileMaker Server\Web Publishing\web-server-support\test\fmi-test\phptest.php on line 19

Workaround

Input validation. Member of enum.