> It's a very critical bug because a malicious user can use it to bypassing > the file_exist() protection on a include() script for example.
I don't think that is critical problem. It is rather bad-programmers problem. There are various methods for securing file_exists() like e.g. <?php // allowing files only from directory /test $sFileName = $_GET['page']; // is file name equals XXXXX.XXX pattern if(preg_match("|[\w\-]+\.[\w]+|i",$sFileName)) { // check if file exists if(file_exists("./test/".$sFileName)) { // open file and stuff } else { // sorry } } else { // mail the webmaster that someone has tampered the url's } ?> That is just one of the sollutions, far from the best one. There is an article about this here: http://www.zend.com/zend/art/art-oertli.php _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html