| タイトル | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 Unauthorized page deletion |
|---|
| 説明 | •The unauthorized page deletion vulnerability poses severe risks. Attackers can delete target website pages without authentication, ranging from basic information pages and user comment sections to core business pages and data statistics pages. Such malicious deletions may cause content gaps, functional failures, and compromised user experience and credibility. Critical business pages removed could lead to service interruptions, user attrition, and financial losses. Furthermore, the vulnerability may be exploited to manipulate website data or implant malicious code, amplifying damage. Data recovery after deletion requires substantial resources and may result in irreversible permanent data loss.
DESCRIPTION
•The /minicms/mc-admin/page.php file in MiniCMS v1.8 contains an unauthorized deletion vulnerability, affecting PHP 5.2.17. This flaw arises from the absence of permission verification for deletion operations. The exploit works by initiating a file recovery request in the backend, capturing the data packet, and retransmitting the deletion request with the mc_token Cookie field. This allows direct deletion of published pages on the target website, with the deleted pages being moved to the recycle bin. The vulnerability may cause incomplete website content and functional anomalies, while the removal of critical business pages could lead to service interruptions and financial losses, posing significant risks. |
|---|
| ソース | ⚠️ https://github.com/ueh1013/VULN/issues/14 |
|---|
| ユーザー | Blackooo (UID 93743) |
|---|
| 送信 | 2025年12月27日 11:37 (4 月 ago) |
|---|
| モデレーション | 2026年01月04日 11:27 (8 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 339488 [bg5sbk MiniCMS 迄 1.8 File Recovery Request page.php delete_page 弱い認証] |
|---|
| ポイント | 20 |
|---|