| Title | SourceCodester Resort Reservation System (PHP + SQLite3) 1.0 Local File Inclusion |
|---|
| Description | Local File Inclusion (LFI) via page Parameter
Severity: Critical
CWE: CWE-98 — Improper Control of Filename for Include/Require Statement
Authentication: Required (any authenticated user)
Affected File: index.php
Relevant Code
$page = $_GET['page'] ?? 'home';
include($page . ".php");
Description
The application directly passes the user-controlled page parameter into the include() function without validation or allowlisting.
An attacker can abuse PHP stream wrappers such as php://filter to read sensitive files on the server. Using the base64-encoding filter bypasses the enforced .php extension and allows disclosure of application source code.
Impact
An authenticated attacker can read arbitrary PHP source files including:
• DBConnection.php
• Master.php
• auth.php
• login.php
These files expose sensitive application logic and credentials, including the bcrypt password hash for administrator accounts.
This vulnerability can also potentially lead to Remote Code Execution through log poisoning or other file inclusion techniques.
Proof of Concept
Request: http://localhost:8000/?page=php://filter/convert.base64-encode/resource=DBConnection
Result: The contents of DBConnection.php are returned encoded in base64 and rendered in the browser.
|
|---|
| Source | ⚠️ https://www.sourcecodester.com/php/16447/resort-reservation-system-php-and-sqlite3-source-code-free-download.html |
|---|
| User | Antony Esthak Twinson (UID 96471) |
|---|
| Submission | 03/27/2026 15:11 (13 days ago) |
|---|
| Moderation | 04/08/2026 21:13 (12 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 236234 [SourceCodester Resort Reservation System 1.0 index.php page file inclusion] |
|---|
| Points | 0 |
|---|