| タイトル | code-projects Vehicle Management System In PHP With Source Code 1.0` Incomplete Identification of Uploaded File Variables |
|---|
| 説明 | The application exposes an admin-only "New Driver" registration form at newdriver.php that includes a photo upload field. However, the endpoint performs no session validation — any unauthenticated attacker can directly access it without being redirected to login. Furthermore, the photo upload field accepts any file type including PHP files, with no extension filtering, MIME type validation, or content inspection.
the attacker can get remote code execution |
|---|
| ソース | ⚠️ https://github.com/Xmyronn/Vehicle-Management-System-In-PHP---Unauthenticated-Remote-Code-Execution.git |
|---|
| ユーザー | imad alvi (UID 97088) |
|---|
| 送信 | 2026年05月19日 14:43 (18 日 ago) |
|---|
| モデレーション | 2026年06月05日 10:22 (17 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 368884 [code-projects Vehicle Management System 1.0 New Driver Registration Form newdriver.php photo 特権昇格] |
|---|
| ポイント | 20 |
|---|