| عنوان | PHPGurukul ONHS Project PHP V1.0 SQL Injection |
|---|
| الوصف | During a security review of "ONHS Project PHP", 0x0A1lha discovered a critical arbitrary file deletion vulnerability in the /admin/manage-nurse.php file. This vulnerability is caused by insufficient validation of the user's input of the 'profilepic' parameter, which allows the attacker to construct payload to traverse the directory and delete any file. For example: /manage-nurse.php?action=delete&bsid=1&profilepic=.. /.. /.. /.. Therefore, an attacker can delete arbitrary files on the server, including system files, web files, etc. Checksums need to be added to enhance the verification. |
|---|
| المصدر | ⚠️ https://github.com/wqywfvc/CVE/issues/16 |
|---|
| المستخدم | Anonymous User |
|---|
| ارسال | 22/02/2025 01:20 PM (1 سنة منذ) |
|---|
| الاعتدال | 22/02/2025 04:58 PM (4 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 296572 [PHPGurukul Online Nurse Hiring System 1.0 /admin/manage-nurse.php profilepic] |
|---|
| النقاط | 20 |
|---|