SourceCodester Online Food Ordering System Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in SourceCodester Online Food Ordering System version 2.0. The issue arises in the '/index.php' and '/admin/index.php' files, where user input from the 'page' parameter is directly passed to the PHP 'include' function without proper sanitization or path restrictions. This vulnerability allows remote attackers to include arbitrary PHP files or use PHP stream wrappers to read the source code of sensitive files, such as database configuration files. No login or authorization is required to exploit this vulnerability.

Impact

Exploitation of this vulnerability allows attackers to read sensitive configuration files, including database credentials, execute arbitrary PHP code by including malicious files, or use PHP stream wrappers to extract source code from any file on the server. This poses a significant risk to system confidentiality and can facilitate further attacks against the server.

Reproduction

To reproduce this vulnerability, send a GET request to 'index.php' or 'admin/index.php' with a crafted 'page' parameter that includes a PHP stream wrapper, such as 'php://filter/convert.base64-encode/resource=admin/db_connect'. This will return a base64-encoded version of the 'db_connect.php' file, which can be decoded to reveal its contents, including database connection details.

Remediation

To address this vulnerability, implement the following measures: 1. Use a whitelist of allowed pages and reject any requests that do not match. 2. Disable PHP wrappers in production by setting 'allow_url_include = Off' and 'allow_url_fopen = Off' in php.ini. 3. Use 'basename()' to strip directory traversal characters from the 'page' parameter before including it. 4. Conduct regular security audits to identify and fix potential vulnerabilities, especially in file inclusion logic.