जमा करें #778277: z-9527 admin ≤ commit 72aaf2d Path Traversal: '../filedir'जानकारी

शीर्षकz-9527 admin ≤ commit 72aaf2d Path Traversal: '../filedir'
विवरणAn unrestricted file upload vulnerability exists in Z-9527 Admin ≤ commit 72aaf2d at the /upload endpoint, where the fileType query parameter is concatenated into the target filesystem path without validation or canonicalization, and the optional isImg check can be bypassed. As a result, authenticated attackers can write arbitrary files to the server filesystem. Mitigations include mapping fileType to a server-side whitelist of directories, canonicalizing and verifying that resolved paths are inside a fixed upload root, rejecting directory-traversal or absolute-path inputs, generating safe server-side filenames, validating content by magic bytes and size, storing uploads outside the webroot, and running the service with least privilege.
स्रोत⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/z9527-admin/vulnerability-9
उपयोगकर्ता
 Anonymous User
सबमिशन12/03/2026 03:21 AM (4 महीनों पहले)
संयम27/03/2026 02:48 PM (15 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि353886 [z-9527 admin तक 72aaf2dd05cf4ec2e98f390668b41e128eec5ad2 isImg Check /server/utils/upload.js uploadFile fileType निर्देशिका ट्रैवर्सल]
अंक20

Do you want to use VulDB in your project?

Use the official API to access entries easily!