Source: directory (security level: low)
Flip the security level in the header to compare the vulnerable and fixed code paths.
<?php // LOW: the search term is concatenated straight into the XPath expression -> XPath injection.
// Normal use matches an exact name; injecting q=' or '1'='1 makes the predicate always-true and dumps
// EVERY record, including the hidden svc-directory account whose <note> holds the flag. Read-only.
$doc = new DOMDocument();
@$doc->loadXML($DIRECTORY_XML);
$xp = new DOMXPath($doc);
$expr = "/staff/user[name='" . $q . "']";
$nodes = @$xp->query($expr);
if ($nodes === false) {
$dir_error = "malformed XPath: " . $expr; // surfaced -> error-based confirmation, like SQLi
} else {
foreach ($nodes as $n) {
$row = array();
foreach (array('name', 'role', 'email', 'note') as $tag) {
$el = $n->getElementsByTagName($tag);
$row[$tag] = $el->length ? $el->item(0)->textContent : '';
}
$results[] = $row;
}
}