जमा करें #843890: hcr707305003 shiroiAdmin latest (2026-05, commit a145613) Input Validationजानकारी

शीर्षकhcr707305003 shiroiAdmin latest (2026-05, commit a145613) Input Validation
विवरणSummary: shiroiAdmin contains an unauthenticated arbitrary file upload vulnerability (CWE-434) in FileController::upload(). The file_type parameter controls which validation rules are applied. Setting it to a non-existent value (e.g., "php") makes rules=null, which ThinkPHP 6's Validate::checkItem() treats as validation passed. An attacker can upload a PHP webshell and execute arbitrary code on the server. Technical Details: Location: app/common/controller/FileController.php, line 27-65 Root Cause: 1. The upload() method uses user-supplied "file_type" to select validation rules from config/filesystem.php 2. The config only defines "image", "video", "file" rules 3. When file_type is "php" or any undefined type: $config['validate']['php'] = null 4. ThinkPHP 6 Validate::checkItem() line 612-613: if (empty($rules)) { return true; } 5. No authentication: CommonBaseController has no auth, common module has no middleware Exploitation: POST /index.php?s=/common/file/upload body: file_type=php, file=shell.php (containing <?php system($_GET['cmd']); ?>) Response includes uploaded file URL. Access it with ?cmd=id to execute commands. Countermeasure: 1. Do not allow users to control file_type parameter 2. Validate file_type against whitelist: ['image', 'video', 'file'] 3. Add authentication middleware to common module
स्रोत⚠️ https://github.com/hcr707305003/shiroiAdmin
उपयोगकर्ता
 Lzy200657 (UID 98649)
सबमिशन30/05/2026 07:16 PM (1 महीना पहले)
संयम11/07/2026 12:18 PM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि377795 [hcr707305003 shiroiAdmin 1.1/1.3 FileController.php FileController::upload Arquivo अधिकार वृद्धि]
अंक20

Interested in the pricing of exploits?

See the underground prices here!