| عنوان | The Earnings and Expense Tracker Application has file reading vulnerabilities |
|---|
| الوصف | Users can read files on the server through carefully constructed urls. The vulnerability is at line 83 of index.php, where the code does not filter user input. page parameters are completely controllable and unfiltered.
https://github.com/web-zxl/img/blob/main/1.png
https://github.com/web-zxl/img/blob/main/2.png
We construct the following statement http://127.0.0.1/php-sqlite-expense-tracker/?page=php://filter /read=convert. base64-encode/resource=users and access, you can see the page read fetch base64 encoded users. base64 decoding is the source code of users.php
https://github.com/web-zxl/img/blob/main/3.png |
|---|
| المصدر | ⚠️ https://www.sourcecodester.com/php/16354/earnings-and-expense-tracker-app-using-php-and-sqlite3-source-code-free-download.html |
|---|
| المستخدم | aallll (UID 34396) |
|---|
| ارسال | 04/04/2023 12:11 PM (3 سنوات منذ) |
|---|
| الاعتدال | 05/04/2023 08:04 AM (20 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 224997 [SourceCodester Earnings and Expense Tracker App 1.0 index.php page الكشف عن المعلومات] |
|---|
| النقاط | 20 |
|---|