Code-Projects Online Lot Reservation System Path Traversal Vulnerability in Download.php

A path traversal vulnerability allowing arbitrary file reading has been identified in the Code-Projects Online Lot Reservation System, version 1.0. The issue arises in the download.php file, where the 'file' parameter is not properly validated before being passed to the readfile() function. This lack of validation enables attackers to exploit the vulnerability remotely, accessing sensitive files on the server, including system configurations and application data.

Impact

Exploitation of this vulnerability allows for arbitrary file reading on the server. This could lead to the disclosure of sensitive information such as database configuration files, critical system files like '/etc/passwd' or 'C:\Windows\system32\drivers\etc\hosts', and source code from other applications.

Reproduction

To reproduce this vulnerability, send a request to download.php with a crafted 'file' parameter that includes path traversal sequences or absolute paths. This can be done using tools like curl. For example, to read the Windows 'win.ini' file, the 'file' parameter can be set to 'C:\Windows\win.ini'. Similarly, the hosts file can be accessed by specifying 'C:/Windows/System32/drivers/etc/hosts'.

Remediation

It is recommended to implement whitelist verification for file paths, use basename() to remove directory traversal elements, restrict file types to specific categories such as documents and images, and disable directory listing on the server.