I wonder how to patch the LFI problem in this code? Please suggest a good way to patch this vulnerability.
-
3Do not post an image of text. That's rude. Copy-paste the text.Gilles 'SO- stop being evil'– Gilles 'SO- stop being evil'2018-10-25 19:38:55 +00:00Commented Oct 25, 2018 at 19:38
-
This is not something to "patch". You have a design pattern issue. There are multiple tested design patterns for how to process user input to display a valid page.schroeder– schroeder ♦2018-10-26 15:59:42 +00:00Commented Oct 26, 2018 at 15:59
-
Is this from a homework assignment or textbook?schroeder– schroeder ♦2018-10-26 16:04:30 +00:00Commented Oct 26, 2018 at 16:04
Add a comment
|
1 Answer
Directory traversal/local file inclusion attacks are just a symptom of the problem of failing to validate user input. Consider what you're doing: You're taking input from the Internet and blinding passing it to a function that expects a very particular type of input.
The short answer is: VALIDATE ALL USER INPUT.
The longer answer is, and in this case, verify that what is being POSTed in the Product variable is a legitimate file name in the appropriate directory.
This same premise is how SQL Injection works.
