| Название | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 Unauthorized file deletion |
|---|
| Описание | •The unauthorized file deletion vulnerability is a high-risk security flaw with severe consequences. Attackers can craft malicious requests to delete any files or directories on the server without authentication. This not only directly damages critical business files, database backups, and user data, causing system paralysis and irreversible data loss that leads to user attrition and compliance risks, but also erases essential configuration files and log records, compromising system integrity. More critically, it creates opportunities for malicious program implantation and privilege escalation, potentially triggering a chain of security incidents across the entire network.
DESCRIPTION
•The /post.php file in MiniCMS v1.8's backend contains a critical vulnerability that enables unauthorized file deletion. This exploit works in PHP 5.2.17 environments. Attackers can bypass authentication by intercepting backend article deletion requests, removing mc_token verification from cookies, and crafting malicious payloads with path fragments like /../1.txt and null byte truncation (%00). A simple GET request activates the vulnerability. The exploit allows deletion of any server files or directories, potentially destroying critical business data, database backups, and user records—causing service downtime and irreversible data loss. Furthermore, it may compromise system integrity by deleting configuration files and logs, creating opportunities for malware implantation and privilege escalation, thereby triggering severe security chain reactions. |
|---|
| Источник | ⚠️ https://github.com/ueh1013/VULN/issues/11 |
|---|
| Пользователь | Blackooo (UID 93743) |
|---|
| Представление | 27.12.2025 11:39 (4 месяцы назад) |
|---|
| Модерация | 04.01.2026 11:27 (8 days later) |
|---|
| Статус | Дубликат |
|---|
| Запись VulDB | 126384 [miniCMS 1.10 post.php?state=delete&delete слабая аутентификация] |
|---|
| Баллы | 0 |
|---|