Local File Disclosure using fileviewer functionality

[AbhiKafle123]

Line 129 in index.php lets anyone view all the local files the web-server has access to.

        case 'fileviewer':
            $file = get('file');

Example exploit
example.com/webgrind/index.php?op=fileviewer&file=/etc/passwd

Can we avoid relying on user input to get 'file'?

[SilverioMiranda]

This is not the purpose of this project, it should only be run locally in the test environment only, NEVER in a publicly accessible environment.
That is why no measures are necessary to prevent this kind of situation

[alpha0010]

Correct, this is intended behaviour. Additionally, your production environment should not even have xdebug installed.

(Of note, you will only be able to view files the server can read. /etc/passwd is not that problematic, as the password hashes are actually in /etc/shadow. If apache can read that, you have other problems. Still, someone could access /path/to/site/db-config.php for some handy plain text passwords.)