| Title | QueryMine sms 1.0 RCE vulnerability |
|---|
| Description | Theadmin/addteacher.php file is responsible for handling the teacher information addition function in the background management system, which includes an image upload module. The key code for the file upload function directly obtains the original filename of the uploaded file through $_FILES['image']['name'], and saves the file to the ../img/ directory on the server using move_uploaded_file($temp_image_name,"../img/$image_name") without any security verification. Specifically, there is no check on the file extension, MIME type, or file content signature, and the ../img/ upload directory is directly accessible through the Web. This leads to a Remote Code Execution (RCE) vulnerability: attackers can upload malicious PHP scripts by constructing a valid file upload request, then access the uploaded malicious file through the Web-accessible directory to execute arbitrary code on the server, gain server control, and further steal sensitive data or destroy system functions. In addition, the project does not enable the Issue function, making it impossible to submit vulnerability reports and repair suggestions to the project maintainers through the official repository. |
|---|
| Source | ⚠️ https://github.com/duckpigdog/CVE/blob/main/QueryMine_sms%20PHP%20Project%20Deployment%20Document%20(Windows%20Local)-3.md |
|---|
| User | mofeifei (UID 96755) |
|---|
| Submission | 03/24/2026 10:36 (25 days ago) |
|---|
| Moderation | 04/17/2026 09:14 (24 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 358033 [QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593 Background Management Page admin/addteacher.php image unrestricted upload] |
|---|
| Points | 20 |
|---|