Vulnerability analysis
The highfashion application lets you set your favourite pose with a cookie, and then it lets you see such a pose again through the "viewfav.php" page. The cookie is something like "favposeid=magnum". Given a pose id (e.g., "magnum"), the "viewfav.php" page retrieves the corresponding pose name and image file name through a MySQL query, which is not injectable. On the other hand, the pose description file name is constructed from the pose id with the following concatenation: "descr/" . $poseid . ".txt". Then, the description si retrieved via the get_file_content() PHP function, and displayed on page. This leaves space for a non-blind path traversal attack.

Exploitation
The attacker must manually set the cookie to be "favposeid=../flag/flag" and then request the "viewfav.php" page. The page builds the description file name "descr/../flag/flag.txt", reads its content, and displays it on the return page. So the flag should appear on screen.

Remediation
To patch this vulnerability, the "viewfav.php" page should set the description file name not by concatenation but rather by a switch/case statement. In this way we implement a whitelist filter that avoids path traversals.