| 제목 | code-projects Vehicle Management System In PHP With Source Code 1.0` Incomplete Identification of Uploaded File Variables |
|---|
| 설명 | The application exposes an admin-only "New Driver" registration form at newdriver.php that includes a photo upload field. However, the endpoint performs no session validation — any unauthenticated attacker can directly access it without being redirected to login. Furthermore, the photo upload field accepts any file type including PHP files, with no extension filtering, MIME type validation, or content inspection.
the attacker can get remote code execution |
|---|
| 원천 | ⚠️ https://github.com/Xmyronn/Vehicle-Management-System-In-PHP---Unauthenticated-Remote-Code-Execution.git |
|---|
| 사용자 | imad alvi (UID 97088) |
|---|
| 제출 | 2026. 05. 19. PM 02:43 (18 날 ago) |
|---|
| 모더레이션 | 2026. 06. 05. AM 10:22 (17 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 368884 [code-projects Vehicle Management System 1.0 New Driver Registration Form newdriver.php photo 권한 상승] |
|---|
| 포인트들 | 20 |
|---|