Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10038

download/file.php uses $_GET value instead of function request_var()

    XMLWordPrintable

    Details

      Description

      The code in download/file.php

      $filename = $_GET['avatar'];

      should be adjusted to use function request_var() to get $filename value.
      Direct use of $_GET is known as insecure option.

        Attachments

          Activity

            People

            Assignee:
            bantu Andreas Fischer
            Reporter:
            rxu rxu
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: