This is a very low level risk since applicable only if the attacker and the victim are on the same server. There is a local file inclusion (eg: you can write a new file called header.inc.php in the upper dir of phpsysinfo), a path disclosure (the same above bug) and an extra-full XSS (you issue your own template) via POST and COOKIE request. *** Verified in 2.5 and 2.5 rc2 *** // Check to see if where running inside of phpGroupWare if (isset($_REQUEST['sessionid']) && $_REQUEST['sessionid'] && $_REQUEST['kp3'] && $_REQUEST['domain']) { define('PHPGROUPWARE', 1); $phpgw_info['flags'] = array('currentapp' => 'phpsysinfo-dev' ); include('../header.inc.php'); } else { define('PHPGROUPWARE', 0); } Making a request with $_REQUEST['sessionid'], $_REQUEST['kp3'] $_REQUEST['domain'] to true the program will include ../header.inc.php with no check. This lead to file inclusion in possible evil directory and path discovery. *** Verified in 2.5 and 2.5 rc2 *** // DEFINE TEMPLATE_SET if (isset($_POST['template'])) { $template = $_POST['template']; } elseif (isset($_GET['template'])) { $template = $_GET['template']; if ($template != 'xml' && $template != 'random') { // figure out if the template passed in the url exists $template = basename($template); if (!file_exists(APP_ROOT . "/templates/" . $template)) { // use default if not exists. $template = $default_template; } } } elseif (isset($_COOKIE['template'])) { $template = $_COOKIE['template']; } else $template = $default_template; // Store the current template name in a cookie, set expire date to 30 days later // if template is xml then skip if ($template != 'xml') { setcookie("template", $template, (time() + 60 * 60 * 24 * 30)); $_COOKIE['template'] = $template; //update COOKIE Var } [..CUT..] define('TEMPLATE_SET', $template); $_POST['template'] HACKABLE no check $_GET['template'] NON HACKABLE secured by basename() $_COOKIE['template'] HACKABLE no check Now we can give arbitrary (local) templates using the right block syntaxt. Also custom css (APP_ROOT."/templates/$template/$template.css") and background (APP_ROOT."/templates/$template/images/$template"."_background.gif") can be used. Note this can be used to issue an xss only in case of http post (eg the user click on a form). The solution is to move all these validation code down before the define (why validate get and not all the others?). ascii - http://www.ush.it