إرسال #855048: SourceCodester Online Book Store System 1.0 Local File Inclusionالمعلومات

عنوانSourceCodester Online Book Store System 1.0 Local File Inclusion
الوصفA Local File Inclusion (LFI) vulnerability exists in SourceCodester Online Book Store System 1.0. The administrative interface dynamically includes files based on the user-controlled 'page' parameter without proper validation or allow-list restrictions. An authenticated attacker can abuse the PHP stream wrapper 'php://filter/convert.base64-encode/resource=' to disclose arbitrary PHP source code files. During testing, the source code of admin_class.php was successfully retrieved and decoded. The disclosed source code contains authentication logic, session handling functionality, database queries, user management operations, and other sensitive application components. This information may facilitate further attacks against the application. CWE-98 CVSS v3.1: 4.9 (Medium)
المصدر⚠️ https://medium.com/@hemantrajbhati5555/local-file-inclusion-lfi-via-page-parameter-leading-to-source-code-disclosure-ce722de0c407
المستخدم Hemant Raj Bhati (UID 95613)
ارسال10/06/2026 02:01 PM (1 شهر منذ)
الاعتدال12/07/2026 08:07 PM (1 month later)
الحالةتمت الموافقة
إدخال VulDB377890 [SourceCodester Online Book Store System 1.0 Administrative Interface /admin/index.php page الكشف عن المعلومات]
النقاط20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!