✍️ Description

Attackers can control the filesystem path argument to readfile() at api.php line 35 for ?email= parameter, which allows them to access or modify otherwise protected files.

Analysis Trace:

1. application take unsensitized input at: $email = strtolower($_REQUEST['email']);
2. Assigning user input to filepath: $filepath = ROOT.DS.'..'.DS.'data'.DS.$email.DS.'attachments'.DS.$id.'-'.$filename;
3. Finally read file at: readfile($filepath);

🕵️‍♂️ Proof of Concept

1. Visit /api.php?action=attachment&email=\..\..\..\..\..\Windows\win.ini&id=valid_id&filename=valid_finalname where the GET variables were properly replaced, you can see arbitrary files on the serve.

💥 Impact

The program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker. Arbitrary file read, leakage of information.