| Titel | PHPGurukul ONHS Project PHP V1.0 SQL Injection |
|---|
| Beschreibung | During a security review of "ONHS Project PHP", 0x0A1lha discovered a critical arbitrary file deletion vulnerability in the /admin/manage-nurse.php file. This vulnerability is caused by insufficient validation of the user's input of the 'profilepic' parameter, which allows the attacker to construct payload to traverse the directory and delete any file. For example: /manage-nurse.php?action=delete&bsid=1&profilepic=.. /.. /.. /.. Therefore, an attacker can delete arbitrary files on the server, including system files, web files, etc. Checksums need to be added to enhance the verification. |
|---|
| Quelle | ⚠️ https://github.com/wqywfvc/CVE/issues/16 |
|---|
| Benutzer | Anonymous User |
|---|
| Einreichung | 22.02.2025 13:20 (vor 1 Jahr) |
|---|
| Moderieren | 22.02.2025 16:58 (4 hours later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 296572 [PHPGurukul Online Nurse Hiring System 1.0 /admin/manage-nurse.php profilepic] |
|---|
| Punkte | 20 |
|---|