| शीर्षक | mjperpinosa stumasy 1.0 RCE vulnerability |
|---|
| विवरण | The post attachment upload functionality in `add_post.php` attempts to validate the uploaded file by checking if its MIME type **or** file extension matches a predefined whitelist:
```php
if (in_array($_FILES["type"], allowed_file_type) || in_array($_FILES["type"], allowed_image_type) || in_array($file_extension, allowed_extension))
```
Because the condition uses the || (OR) operator, an attacker only needs to satisfy one of the checks. By supplying a malicious PHP file with a forged MIME type (e.g., application/pdf) and a .php extension, the MIME check passes, and the extension check is effectively bypassed. The uploaded file is then moved to a web‑accessible directory using the original user‑supplied filename:
···
move_uploaded_file(..., "../../../../documents/files/" . $file_name);
···
The filename is not sanitised with basename() or stripped of directory separators, which could also allow path traversal in environments where the filesystem supports such characters. Once uploaded, the PHP file resides inside documents/files/ and can be requested directly, causing the server to execute the attacker’s code. |
|---|
| स्रोत | ⚠️ https://github.com/mjperpinosa/stumasy/issues/1 |
|---|
| उपयोगकर्ता | cnluminous (UID 98136) |
|---|
| सबमिशन | 16/05/2026 02:34 PM (21 दिन पहले) |
|---|
| संयम | 04/06/2026 07:14 AM (19 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 368254 [mjperpinosa stumasy add_post.php up_file_to_post अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|