| Title | SourceCodester Resort Reservation System (PHP + SQLite3) 1.0 Local File Inclusion |
|---|
| Description | The Resort Reservation System application is vulnerable to Local File Inclusion (LFI) due to improper handling of user-supplied input in the page parameter.
The application directly incorporates the page parameter into a PHP include() statement without validation or sanitization:
$page = $_GET['page'] ?? 'home';
include($page . ".php");
An authenticated attacker can manipulate the page parameter to include unintended files using PHP stream wrappers such as php://filter. This allows disclosure of sensitive source code files by bypassing the enforced .php extension through encoding filters. |
|---|
| Source | ⚠️ https://medium.com/@cybertamarin/local-file-inclusion-in-a-php-reservation-system-from-parameter-abuse-to-source-code-disclosure-f1ac55dd6178 |
|---|
| User | Antony Esthak Twinson (UID 96471) |
|---|
| Submission | 03/27/2026 15:27 (14 days ago) |
|---|
| Moderation | 04/08/2026 21:13 (12 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 236234 [SourceCodester Resort Reservation System 1.0 index.php page file inclusion] |
|---|
| Points | 0 |
|---|