Painstation!
-
<FONT face="Trebuchet MS">I was reading this site - painstation.de</FONT> (check it out). I have javascript disabled so I always have to copy javascriptopenurl("url here") type links into the address bar and remove the JS code around the link. I usually don't remove the right quote hoping the script would filter out the params from garbage... so I came across this <FONT color=#800080>http://www.fursr.com/furyoureyesonly/?show=Hall_of_Pain</FONT>
now try http://www.fursr.com/furyoureyesonly/?show=somefolder
-
-
What are we supposed to see?
-
Looks like it properly whitelisted the allowed directories. Yeah, it doesn't have a pretty error message. But well, YOU fucked it up, not them.
Presumably no security hole there, and php code is always quick&dirty so this seems just right.
-
The WTF is, they are using folder name right out of the GET request, and rely on OS/PHP restrictions for it, with no input validation (except by php/os itself).