Introduction

During further security analysis of the Leave Application System in PHP and SQLite3, I identified a Local File Inclusion (LFI) vulnerability.

The issue occurs because the application dynamically includes files based on user-controlled input without proper validation.

None

Vulnerable Code

The application loads pages dynamically using the following code:

$page = $_GET['page'] ?? 'home' include($page.".php");

Because the parameter is not validated, attackers can manipulate it to include unintended files.

Exploitation

By using the PHP filter wrapper, attackers can read the source code of internal PHP files.

Example payload:

?page=php://filter/convert.base64-encode/resource=index

The application returns the Base64 encoded source code of the file.

Decoding the Source Code

The Base64 output can be decoded using the following command:

echo "BASE64CODE" | base64 -d

This reveals the internal source code of the application.

Accessible Sensitive Files

Using the same technique, attackers can read:

• index.php • DBConnection.php • LoginRegistration.php • Master.php • auth.php

Impact

This vulnerability allows attackers to:

• Read sensitive application source code • Discover database credentials • Analyze authentication mechanisms • Identify additional vulnerabilities

In real-world scenarios this could lead to complete compromise of the application.

Screenshots

None
None
None
None

Recommendation

Developers should restrict file inclusion using a strict whitelist.

Example secure implementation:

$allowed_pages = ['home','employees','applications','users'];

if(!in_array($page,$allowed_pages)){ die("Invalid page"); }

This prevents attackers from loading arbitrary files.

Conclusion

Local File Inclusion vulnerabilities expose sensitive server-side information and can lead to severe security issues.

Proper input validation and secure coding practices are essential to prevent such vulnerabilities.

Author

Security Researcher: Hemant Raj Bhati Category: Web Application Security Vulnerability Type: Local File Inclusion (LFI) Affected Application: Leave Application System in PHP and SQLite3 Vendor: SourceCodester