Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-10038

download/file.php uses $_GET value instead of function request_var()

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 3.0.9-RC1
    • 3.0.8
    • Viewing posts
    • None

      The code in download/file.php

      $filename = $_GET['avatar'];

      should be adjusted to use function request_var() to get $filename value.
      Direct use of $_GET is known as insecure option.

            bantu Andreas Fischer [X] (Inactive)
            rxu rxu
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: