Well, from your description of the problem it seems to me that your attitude is correct. It bothers me that your boss should pay more attention to security.

I know very little about your actual scenario but I think there are a few main risks here (I assume that the script allows the customer data to be written to a file which is specified via a hidden field):

• An attacker storing "interesting" customer information in a file called /etc/password or similar, provided that your web server runs as root. By interesting customer information, I mean a set of lines providing a superuser account with a password known to the attacker. This would be very handy for cracking your webserver.

• An attacker storing "interesting" customer information in the file $DOCUMENTROOT/index.html. Talk about a convenient way to deface your server.

• An attacker requesting customer information from system files, such /etc/passwd or httpd.conf in order to gain knowledge about your system.

... Please do not take these as an extensive list. It's late and I only wrote what came to mind.

Now, so far you've acted ethically. No matter what people tells you do not try to expose or exploit this flaw without premission from your employer. If you succeed (and this seems easy from your description), this will allow your employer to sue you. You would not be the first to suffer through this nonsense. I say this because it is very tempting to exploit this vulnerability and play a little prank to your company as a proof of concept, but this can get you in serious trouble.

If after you ponint this to your boss, they still decide not to fix it, then leave it alone. And in a personal note, look for another job :)

Regards