SourceCodester Best House Rental Management System index.php file inclusion

Vulnerability

A file inclusion vulnerability exists in SourceCodester Best House Rental Management System version 1.0. The issue resides in the /index.php file, where the page parameter is not properly sanitized, allowing an attacker to include arbitrary files. This vulnerability is classified as problematic and can be triggered remotely.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the /index.php endpoint with a malicious page parameter pointing to a local file (e.g., ../../etc/passwd). No authentication is required, and the attack can be launched remotely. The exploit has been publicly disclosed, increasing the risk of active exploitation.

Impact

Successful exploitation allows an attacker to read sensitive files on the server, leading to information disclosure. Depending on the server configuration, file inclusion may also enable remote code execution if the attacker can include a file containing malicious code (e.g., log files or uploaded files). The scope of compromise is limited to the web server's file system.

Mitigation

As of the publication date, no official patch has been released by SourceCodester. Users should consider restricting access to the /index.php file or implementing input validation for the page parameter. If the system is no longer supported, migration to an alternative solution is recommended. The vulnerability is not listed in the CISA KEV catalog.