| 제목 | ZhiHuiYun ZhiHuiYun <=4.4.13 Arbitrary File Upload |
|---|
| 설명 | ZhiHuiYun, version 4.4.13 and earlier, is found to have an Arbitrary File Upload vulnerability in the ImageController.php file. Specifically, the function 'download_network_image' downloads and saves files from a URL to the server without proper validation or restrictions. An attacker can exploit this by hosting a malicious PHP file on their own server, then sending a request to download that file. The application does not prevent the download and storage of the malicious file, which can then be located using the search function. This vulnerability could allow an attacker to upload and execute arbitrary code on the server, potentially leading to full system compromise. |
|---|
| 원천 | ⚠️ https://note.zhaoj.in/share/jC6NMe5TRSys |
|---|
| 사용자 | glzjin (UID 59815) |
|---|
| 제출 | 2024. 01. 14. PM 05:50 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 01. 17. PM 02:58 (3 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 251375 [ZhiHuiYun 까지 4.4.13 Search ImageController.php download_network_image url 권한 상승] |
|---|
| 포인트들 | 20 |
|---|