| タイトル | PHPGurukul ONHS Project PHP V1.0 SQL Injection |
|---|
| 説明 | During a security review of "ONHS Project PHP", 0x0A1lha discovered a critical arbitrary file deletion vulnerability in the /admin/manage-nurse.php file. This vulnerability is caused by insufficient validation of the user's input of the 'profilepic' parameter, which allows the attacker to construct payload to traverse the directory and delete any file. For example: /manage-nurse.php?action=delete&bsid=1&profilepic=.. /.. /.. /.. Therefore, an attacker can delete arbitrary files on the server, including system files, web files, etc. Checksums need to be added to enhance the verification. |
|---|
| ソース | ⚠️ https://github.com/wqywfvc/CVE/issues/16 |
|---|
| ユーザー | Anonymous User |
|---|
| 送信 | 2025年02月22日 13:20 (1 年 ago) |
|---|
| モデレーション | 2025年02月22日 16:58 (4 hours later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 296572 [PHPGurukul Online Nurse Hiring System 1.0 /admin/manage-nurse.php profilepic] |
|---|
| ポイント | 20 |
|---|