Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10038

download/file.php uses $_GET value instead of function request_var()

    XMLWordPrintable

Details

    Description

      The code in download/file.php

      $filename = $_GET['avatar'];

      should be adjusted to use function request_var() to get $filename value.
      Direct use of $_GET is known as insecure option.

      Attachments

        Activity

          People

            bantu Andreas Fischer
            rxu rxu
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: