| Titel | Douke Network Technology Co., Ltd. DouPHP DouPHP v1.8 Release 20251022 Arbitrary File Upload |
|---|
| Beschreibung | The vulnerability is a Remote Code Execution (RCE) vulnerability in the DouPHP backend. It originates from a flaw in the path validation and file naming logic of the bigfile method within the upload/include/file.class.php file.
When the sql_link_url parameter is passed via a form, the system extracts the directory part of this parameter and compares it with ROOT_URL.$file_dir; if they match, the filename from sql_link_url is directly used as the final name of the uploaded file. Additionally, the module parameter is controllable (allowing specification of the file upload directory), and setting the rec parameter to "bigfile" enables calling the flawed upload method. Although the upload process only verifies that the file suffix is an allowed type (e.g., zip), attackers can bypass this restriction by constructing sql_link_url to generate a PHP file containing malicious code.
Exploiting this vulnerability requires administrator privileges to access admin/file.php. Attackers need to construct a chunked upload packet, pass necessary parameters (such as item_id, target, blob_num), upload file chunks containing PHP execution code, and after the system merges the file, access the generated file to execute arbitrary commands. |
|---|
| Quelle | ⚠️ https://github.com/electroN1chahaha/My-CVE/issues/1 |
|---|
| Benutzer | electroN1c (UID 85481) |
|---|
| Einreichung | 30.10.2025 04:39 (vor 7 Monaten) |
|---|
| Moderieren | 14.11.2025 17:12 (16 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 332496 [DouPHP bis 1.8 Release 20251022 file.class.php Datei erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|