Reviews from the App Store
Just downloaded and loaded 500 images in 2 seconds. The slideshow function with various settings and fullscreen view is also a real plus. Replaced Pixea on my computer. After the recent update in January 2026, a real recommendation for me. -include-..-2F..-2F..-2F..-2Froot-2F
Felix theCat
Perfect program to view and edit images. Extremely affordable price. Tried many others, Phiewer pro is outstanding!! If this payload is successful, the consequences can
pyPeter01
It has already replaced Preview as my default photos viewer. Lightweight and battery-saving with an integrated photo editor, which is really impressive with its features for quick editing. As a teacher I use the app for academic purposes. Easy to use, self-explanatory, many functions, extensive options to design the way you want to see your photos! Friendly support team. Parameter Confusion :
Man.Osm
No subscription. Perfect for creatives & power users.
If this payload is successful, the consequences can be severe:
http://vulnerable.site/index.php?include=-include-..-2F..-2F..-2F..-2Froot-2Fetc-2Fpasswd
If successful, the web application reads and returns:
/root/etc/passwd (unlikely) or /root/.bashrc or attempts to include a malicious file from /root/uploaded.txt.
Let’s break this string down methodically.
The /root directory, particularly in Linux systems, is the home directory for the root user. Files and directories within /root are critical for system administration and security.
Remove .., ./, %2F, %5C, and obfuscated variants like -2F:
$input = str_replace(['..', '-2F', '%2F', '\\'], '', $_GET['path']);
Parameter Confusion:
Deep Traversal:
This is a Local File Inclusion (LFI) attack with encoding obfuscation.
Over 80 file formats, from standard images to professional RAW formats.
If this payload is successful, the consequences can be severe:
http://vulnerable.site/index.php?include=-include-..-2F..-2F..-2F..-2Froot-2Fetc-2Fpasswd
If successful, the web application reads and returns:
/root/etc/passwd (unlikely) or /root/.bashrc or attempts to include a malicious file from /root/uploaded.txt.
Let’s break this string down methodically.
The /root directory, particularly in Linux systems, is the home directory for the root user. Files and directories within /root are critical for system administration and security.
Remove .., ./, %2F, %5C, and obfuscated variants like -2F:
$input = str_replace(['..', '-2F', '%2F', '\\'], '', $_GET['path']);
Parameter Confusion:
Deep Traversal:
This is a Local File Inclusion (LFI) attack with encoding obfuscation.
Download Phiewer PRO and experience a fast, reliable, and professional media viewer for Mac.
Requires macOS 15.0 or later