I don't think this will allow someone to directly include /etc/passwd
, but there's still a lot of trouble to be had from this. An attacker might be able to:
- Trigger a DoS by including the file itself. (Since you're using include, not include_once, it'll recursively keep including the same file.)
- Include arbitrary scripts on your system, such as copies of phpinfo, leaking sensitive information.
- Include arbitrary code if they're able to upload files with user-defined extensions.
Please note that if you have allow_url_include=1 in your php.ini, you're opening up for a remote file inclusion vulnerability.
A better approach is whitelisting your pages, or at least using something like basename()
or realpath()
+ dirname()
to prevent directory traversal attacks.