Hole on free-lance.ru

Find

It all started as usual. The next evening in search of a small project for 2-3 hours. I leave a comment to the project and look forward to hearing. I update the page, it starts to slow down the Internet, I get nervous, I press F5 for 5 times in a row. And what do I see:







I am genuinely surprised at this picture and update the page. I see what should be - the main page. Decided to repeat. Again, the same situation. After reviewing a glimpse of the code, I decided to take a walk through the include'am, and then I found out that everything that lies in "/ classes" is given in the source code without any additional manipulations. And here is the cherished config.php:





')

Support

Well, playing with the files, it's time to write a support project. Described the problem, the conditions of occurrence. The next day I was answered, asked about the software being used and “For what purpose do you analyze the source code of the site?”. I described everything in detail once more, attached screenshots. One more day they thanked for participating in the project’s life and said that they would correct the mistake by morning. My civic duty was fulfilled. I can sleep well.



But it was not there. The next day I decided to check the support job. When I try to view files from the “classes” folder, everything is fine - 403 error. But index.php and all the other files from the root, as before, are given with a multiple page refresh. And this mess went on for about a week. Now you can definitely be calm.



PS All this happened in early December. I did not intend to publish, but just like many I received today a letter about the "annual password change," I read the topic " Forced password change on the site, or care about my security. Or free-lance.ru broke? " And decided that it was worth publishing because nothing prevented to lead the base.