| 제목 | Harry Yu MoneyPrinterTurbo v1.2.6 Incomplete Identification of Uploaded File Variables |
|---|
| 설명 | app/controllers/v1/video.py:207-223 / upload_bgm_file: This function only checks if the file extension is '.mp3' and does not verify the actual content type of the file. This allows attackers to upload files with an '.mp3' extension that contain malicious content. Additionally, there is no file size limit, which could lead to exhaustion of storage resources. Furthermore, files are saved directly using their original filenames without sanitization, potentially allowing attackers to overwrite critical system files. |
|---|
| 사용자 | zhangjx (UID 87395) |
|---|
| 제출 | 2025. 07. 04. AM 06:31 (12 개월 ago) |
|---|
| 모더레이션 | 2025. 07. 19. PM 01:19 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 317010 [harry0703 MoneyPrinterTurbo 까지 1.2.6 File Extension video.py upload_bgm_file 파일 권한 상승] |
|---|
| 포인트들 | 17 |
|---|