-include-..-2f..-2f..-2f..-2froot-2f -

$allowed = ['home', 'about', 'contact']; if (in_array($_GET['page'], $allowed)) include('pages/' . $_GET['page'] . '.php');

It is important to address a query like this directly: The string -include-..-2F..-2F..-2F..-2Froot-2F appears to be an , likely attempting to exploit web application file inclusion vulnerabilities. -include-..-2F..-2F..-2F..-2Froot-2F

include($_GET['page']); Use:

$input = str_replace(['..', '-2F', '%2F', '\\'], '', $_GET['path']); $base = '/var/www/html/'; $user_path = $base . $_GET['file']; $real = realpath($user_path); if ($real === false || strpos($real, $base) !== 0) die('Invalid path'); $allowed = ['home'

GET /index.php?page=-include-..-2F GET /*.php?*-include-* GET /*.*-2Froot-2F Tools like grep : $allowed)) include('pages/' . $_GET['page'] . '.php')