You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not the purpose of this project, it should only be run locally in the test environment only, NEVER in a publicly accessible environment.
That is why no measures are necessary to prevent this kind of situation
Correct, this is intended behaviour. Additionally, your production environment should not even have xdebug installed.
(Of note, you will only be able to view files the server can read. /etc/passwd is not that problematic, as the password hashes are actually in /etc/shadow. If apache can read that, you have other problems. Still, someone could access /path/to/site/db-config.php for some handy plain text passwords.)
Line 129 in index.php lets anyone view all the local files the web-server has access to.
Example exploit
example.com/webgrind/index.php?op=fileviewer&file=/etc/passwd
Can we avoid relying on user input to get 'file'?
The text was updated successfully, but these errors were encountered: