Security Issue #1
Description
This script can see any directory outside of web server root directory.
I'm test this script using Ubuntu 14.04 with Nginx and PHP-FPM 5.6
We put this script on web server root directory eg: "/home/username/public_html/onexit-file-manager/index.php"
If we click tree icon, we can see any directory above until "/" on linux system. So we can see any file or directory on system, such as /root, /home, /bin, /var etc..
Just for reference:
Nginx vhost configuration snippet on my system
server {
...
root /home/username/public_html;
index index.html index.php index.htm;
...
location ~ .php$ {
fastcgi_split_path_info ^(.+.php)(/.+)$;
root /home/username/public_html;
include fastcgi_params;
fastcgi_pass unix:/run/webdevel.xfpm5;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
....
}