CVE-2026-7132

Vulnerability

Analysis

An arbitrary file reading vulnerability exists in the download.php file of code-projects Online Lot Reservation System version 1.0. The root cause is that the File parameter supplied by the user is not filtered or validated before being passed directly to the PHP readfile() function [1]. This lack of sanitization enables path traversal and/or absolute file path usage.

Attack

Vector

The attack is remotely exploitable without any authentication or authorization [1]. An attacker can send a crafted HTTP GET request to /download.php with a file parameter containing path traversal sequences (e.g., ../) or an absolute path to a sensitive file. Proof-of-concept requests demonstrate reading Windows system files, the hosts file, and application source code [1].

Impact

Successful exploitation allows an attacker to read any file on the server, including database configuration files (potentially leaking credentials), sensitive system files such as /etc/passwd or C:\Windows\win.ini, and application source code [1]. This compromises confidentiality of the server and connected systems.

Mitigation

No official patch has been released by the vendor (code-projects) as of the publication date [2]. Suggested fixes include implementing a whitelist of allowed directories and using basename() to prevent directory traversal attacks [1]. Users should apply input validation and restrict file access through server configuration until a permanent fix is available.