提出 #293104: Gacjie Servers Data Management System <=1.0 Arbitrary File Upload情報

タイトルGacjie Servers Data Management System <=1.0 Arbitrary File Upload
説明The Servers Data Management System, specifically in its version 1.0 or below, has been identified to contain an Arbitrary File Upload vulnerability within its /app/admin/controller/Upload.php file. This vulnerability stems from the index function's failure to implement adequate file validation mechanisms, thereby allowing attackers to upload malicious PHP files without any restrictions. By exploiting this flaw, an attacker can upload a PHP script to the server via a crafted HTTP POST request to the endpoint /index.php/admin/Upload/index.html. Once uploaded, the attacker can execute arbitrary code by accessing the uploaded PHP file, potentially compromising the server or its data. This vulnerability was disclosed by the researcher glzjin, highlighting a significant security oversight in the application's file upload functionality.
ソース⚠️ https://note.zhaoj.in/share/7kZiVRqSuiMx
ユーザー
 glzjin (UID 59815)
送信2024年03月04日 16:35 (2 年 ago)
モデレーション2024年03月12日 16:16 (8 days later)
ステータス承諾済み
VulDBエントリ256503 [Gacjie Server 迄 1.0 Upload.php index ファイル 特権昇格]
ポイント20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!