SourceCodester Leave Application System Local File Inclusion Vulnerability

A local file inclusion (LFI) vulnerability exists in SourceCodester Leave Application System version 1.0, developed in PHP and SQLite3. The issue arises because the application includes files based on user-supplied input without adequate validation. This flaw allows remote attackers to manipulate the 'page' parameter to include unintended files, potentially leading to the exposure of sensitive application source code and internal PHP files. The vulnerability is now public and can be exploited remotely.

Impact

Exploitation of this vulnerability allows attackers to read sensitive application files, including database credentials and authentication logic, which could lead to a complete compromise of the application.

Reproduction

To reproduce this vulnerability, manipulate the 'page' parameter in the URL to include the PHP filter wrapper. For example, use a payload that encodes the resource 'index' file. The application will respond with a Base64-encoded version of the file's source code, which can be decoded to reveal sensitive information.