I think it’s safe to assume that nobody is immune to social engineering attacks hundred percent of the time, even attacks that may seem awfully plain or even silly to most of us. We all get tired, pressed for time, and take mental shortcuts at times, and that’s when we’re vulnerable.

Was the last example with Jennifer real? Brilliant! How do you find a target this easy!?

Block any directory traversal (best method):
$file = basename($_GET['blah']);

–

Allow subdirectory only traversal, but block parent directory access (alternative, less secure):
$file = preg_replace(‘/\.+/’,’.’,$_GET['blah']);

You can then do something like: include($path_to_root_dir . $file) and block any nasty directory traversal issues yet allow subdirs. Just make sure to specifiy the path, or you can still get root level access.

Also, don’t forget to validate that the file actually exists and is not a directory, or you might find yourself listing out directory entries on *nix.

We make the admin functions of our website only accessible to a small group inside the company and authenticate them via our company’s internal Active Directory server through an application proxy which we program.

JW,
Regarding your question about “all the reasons for this suspect implementation: I was just discussing this with a friend the other day and we believe the reasons are twofold: Firstly, giving the victim the ability to gain access to her compromised account via the original secret questions. And secondly, perhaps more importantly, reducing customer service costs associated with this “self service” account recovery.

Whatever the reasons for this implementation, if a Security Threat Assessment is conducted and ALL the risks weighted, these issues would be addressed.