I recently had the "opportunity" to look for security problems in an inherited php application. I found the following seemingly innocent line of code:
Well let's think about it a little..
- Imagine there is somewhere one or more users that are not all that friendly ...
- Imagine $_GET['menu'] is something that comes from a user ...
- Imagine that php treats the include():d/require():d code as php and not html
- Imagine that the include():d/require():d file would not have to exist on the same server
- Imagine that there somewhere on the Internet exists text/plain file containing php code
If that was true, then we would have a $h*tload of problems, right? Fortunately that's not true... ..right?
..oh, wait.. *all* of those are true. Oops...