| Title | projectsend 35dfd6f08f7d517709c77ee73e57367141107e6b Path Traversal |
|---|
| Description | The import-orphans.php page allows administrators to manage files found on the server's upload directory that are not yet tracked in the database. The delete action accepts a files[] array from POST data and constructs a file path by directly concatenating the user-supplied filename with UPLOADED_FILES_DIR
No path normalization (realpath()) or traversal sequence (../) filtering is applied. The resulting path is passed directly to unlink(). An attacker can supply a ../-prefixed filename to escape the upload directory and delete arbitrary files accessible to the web server process.
Unlike the import action in the same file, the delete branch does not call file_is_allowed(), meaning no extension check is enforced either.
POC:
POST /import-orphans.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=<>
Content-Type: application/x-www-form-urlencoded
action=delete&files[]=../../../../../../../../../../var/www/html/upload/temp/web.config&csrf_token=<> |
|---|
| Source | ⚠️ https://drive.google.com/file/d/1BOWm9FvhmM90oP91rOWpI4GoWdbI06wg/view?usp=sharing |
|---|
| User | 0xNayel (UID 80926) |
|---|
| Submission | 02/28/2026 08:28 (1 month ago) |
|---|
| Moderation | 03/12/2026 10:08 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 350656 [projectsend up to r1945 Delete /import-orphans.php realpath files[] path traversal] |
|---|
| Points | 20 |
|---|