In ./simple-image-manipulator/controller/download.php no checks are made to authenticate user or sanitize input when determining file location: 2 function output_file($file, $name, $mime_type='') 3 { . . . 14 /* Figure out the MIME type | Check in array */ 15 $known_mime_types=array( 16 "pdf" => "application/pdf", 17 "txt" => "text/plain", 18 "html" => "text/html", 19 "htm" => "text/html", 20 "exe" => "application/octet-stream", 21 "zip" => "application/zip", 22 "doc" => "application/msword", 23 "xls" => "application/vnd.ms-excel", 24 "ppt" => "application/vnd.ms-powerpoint", 25 "gif" => "image/gif", 26 "png" => "image/png", 27 "jpeg"=> "image/jpg", 28 "jpg" => "image/jpg", 29 "php" => "text/plain" 30 ); 31 32 if($mime_type==''){ 33 $file_extension = strtolower(substr(strrchr($file,"."),1)); 34 if(array_key_exists($file_extension, $known_mime_types)){ 35 $mime_type=$known_mime_types[$file_extension]; 36 } else { 37 $mime_type="application/force-download"; 38 }; 39 }; . . . 84 if ($file = fopen($file, 'r')) 85 { 86 if(isset($_SERVER['HTTP_RANGE'])) 87 fseek($file, $range); 88 89 while(!feof($file) && 90 (!connection_aborted()) && 91 ($bytes_send<$new_length) 92 ) 93 { 94 $buffer = fread($file, $chunksize); 95 print($buffer); //echo($buffer); // can also possible 96 flush(); 97 $bytes_send += strlen($buffer); 98 } 99 fclose($file); 100 } else 101 //If no permissiion 102 die('Error - can not open file.'); 103 //die 104 die(); 105 } 106 //Set the time out 107 set_time_limit(0); 108 109 110 //Call the download function with file path,file name and file type 111 output_file($_REQUEST['filepath'], ''.$_REQUEST['filename'].'', 'text/plain');