dkwakkel Report post Posted June 4, 2015 During security scan the following issue was found: The file index.php passes an unvalidated filename to a dynamic include statement on line 163. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution. index.php:151 Read $_POST() $exportRequestStream = $_POST; Sink: index.php:163 builtin_include() if (!@include( $exporterResource )) { Given this line in getExporter: $path = RESOURCE_PATH . EXPORT_HANDLER . strtoupper($streamtype) . "2{$exporterSuffix}.php"; I could imagine that if streamtype contains e.g. '\..\..\..\somefile.txt ' illegal content can be included. Can this be fixed by e.g. sanitizing streamtype and exporterSuffix? Share this post Link to post Share on other sites