제출 #280001: Shopwind Shopwind <=4.6 Configuration injection정보

제목Shopwind Shopwind <=4.6 Configuration injection
설명The Shopwind software, specifically version ≤4.6, has a critical configuration injection vulnerability within the "DefaultController.php" file. This vulnerability allows an attacker to manipulate database creation parameters during the installation process, leading to arbitrary code execution. The issue arises because the software only verifies the referer without validating the install.lock. As a result, an attacker can create a malicious database on their own server, then run a POST request to reinstall the software using this database information, effectively injecting their own code into the "config.php" file. This vulnerability enables remote code execution, posing a significant security risk.
원천⚠️ https://note.zhaoj.in/share/QHdXavkw5eDm
사용자
 glzjin (UID 59815)
제출2024. 02. 09. PM 04:32 (2 연령 ago)
모더레이션2024. 02. 21. AM 11:43 (12 days later)
상태수락
VulDB 항목254393 [Shopwind 까지 4.6 Installation DefaultController.php actionCreate 권한 상승]
포인트들20

Might our Artificial Intelligence support you?

Check our Alexa App!