<p>The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:</p><p> </p><p> 50 $file = urldecode($args['file']) ;</p><p> 51 $fh = fopen($file, 'r') or die('Unable to load file, something bad has happened.') ;</p><p> 52 </p><p> 53 while (!feof($fh))</p><p> 54 $txt .= fread($fh, 1024) ;</p><p> 55 </p><p> 56 // Clean up the temporary file - permissions</p><p> 57 // may prevent this from succeedeing so use the '@'</p><p> 58 // to suppress any messages from PHP.</p><p> 59 </p><p> 60 ...
<p>The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:</p><p> </p><p> 50 $file = urldecode($args['file']) ;</p><p> 51 $fh = fopen($file, 'r') or die('Unable to load file, something bad has happened.') ;</p><p> 52 </p><p> 53 while (!feof($fh))</p><p> 54 $txt .= fread($fh, 1024) ;</p><p> 55 </p><p> 56 // Clean up the temporary file - permissions</p><p> 57 // may prevent this from succeedeing so use the '@'</p><p> 58 // to suppress any messages from PHP.</p><p> 59 </p><p> 60 @unlink($file) ;</p><p> 61 }</p><p> 62 </p><p> 63 $filename = urldecode($args['filename']) ;</p><p> 64 $contenttype = urldecode($args['contenttype']) ;</p><p> 65 </p><p> 66 // Tell browser to expect a text file of some sort (usually txt or csv)</p><p> 67 </p><p> 68 header(sprintf('Content-Type: application/%s', $contenttype)) ;</p><p> 69 header(sprintf('Content-disposition: attachment; filename=%s', $filename)) ;</p><p> 70 print $txt ;</p>
