| 제목 | projectsend 35dfd6f08f7d517709c77ee73e57367141107e6b Path Traversal |
|---|
| 설명 | The import-orphans.php page allows administrators to manage files found on the server's upload directory that are not yet tracked in the database. The delete action accepts a files[] array from POST data and constructs a file path by directly concatenating the user-supplied filename with UPLOADED_FILES_DIR
No path normalization (realpath()) or traversal sequence (../) filtering is applied. The resulting path is passed directly to unlink(). An attacker can supply a ../-prefixed filename to escape the upload directory and delete arbitrary files accessible to the web server process.
Unlike the import action in the same file, the delete branch does not call file_is_allowed(), meaning no extension check is enforced either.
POC:
POST /import-orphans.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=<>
Content-Type: application/x-www-form-urlencoded
action=delete&files[]=../../../../../../../../../../var/www/html/upload/temp/web.config&csrf_token=<> |
|---|
| 원천 | ⚠️ https://drive.google.com/file/d/1BOWm9FvhmM90oP91rOWpI4GoWdbI06wg/view?usp=sharing |
|---|
| 사용자 | 0xNayel (UID 80926) |
|---|
| 제출 | 2026. 02. 28. AM 08:28 (1 월 ago) |
|---|
| 모더레이션 | 2026. 03. 12. AM 10:08 (12 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 350656 [projectsend 까지 r1945 Delete /import-orphans.php realpath files[] 디렉토리 순회] |
|---|
| 포인트들 | 20 |
|---|