| Título | hcr707305003 shiroiAdmin latest (2026-05, commit a145613) Input Validation |
|---|
| Descripción | Summary:
shiroiAdmin contains an unauthenticated arbitrary file upload vulnerability (CWE-434) in
FileController::upload().
The file_type parameter controls which validation rules are applied. Setting it to a non-existent value
(e.g., "php")
makes rules=null, which ThinkPHP 6's Validate::checkItem() treats as validation passed. An attacker can
upload a
PHP webshell and execute arbitrary code on the server.
Technical Details:
Location: app/common/controller/FileController.php, line 27-65
Root Cause:
1. The upload() method uses user-supplied "file_type" to select validation rules from
config/filesystem.php
2. The config only defines "image", "video", "file" rules
3. When file_type is "php" or any undefined type: $config['validate']['php'] = null
4. ThinkPHP 6 Validate::checkItem() line 612-613: if (empty($rules)) { return true; }
5. No authentication: CommonBaseController has no auth, common module has no middleware
Exploitation:
POST /index.php?s=/common/file/upload
body: file_type=php, file=shell.php (containing <?php system($_GET['cmd']); ?>)
Response includes uploaded file URL. Access it with ?cmd=id to execute commands.
Countermeasure:
1. Do not allow users to control file_type parameter
2. Validate file_type against whitelist: ['image', 'video', 'file']
3. Add authentication middleware to common module |
|---|
| Fuente | ⚠️ https://github.com/hcr707305003/shiroiAdmin |
|---|
| Usuario | Lzy200657 (UID 98649) |
|---|
| Sumisión | 2026-05-30 19:16 (hace 1 mes) |
|---|
| Moderación | 2026-07-11 12:18 (1 month later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 377795 [hcr707305003 shiroiAdmin 1.1/1.3 FileController.php FileController::upload Archivo escalada de privilegios] |
|---|
| Puntos | 20 |
|---|