| tiêu đề | PHPGurukul ONHS Project PHP V1.0 SQL Injection |
|---|
| Mô tả | During a security review of "ONHS Project PHP", 0x0A1lha discovered a critical arbitrary file deletion vulnerability in the /admin/manage-nurse.php file. This vulnerability is caused by insufficient validation of the user's input of the 'profilepic' parameter, which allows the attacker to construct payload to traverse the directory and delete any file. For example: /manage-nurse.php?action=delete&bsid=1&profilepic=.. /.. /.. /.. Therefore, an attacker can delete arbitrary files on the server, including system files, web files, etc. Checksums need to be added to enhance the verification. |
|---|
| Nguồn | ⚠️ https://github.com/wqywfvc/CVE/issues/16 |
|---|
| Người dùng | Anonymous User |
|---|
| Đệ trình | 22/02/2025 13:20 (cách đây 1 Năm) |
|---|
| Kiểm duyệt | 22/02/2025 16:58 (4 hours later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 296572 [PHPGurukul Online Nurse Hiring System 1.0 /admin/manage-nurse.php profilepic] |
|---|
| điểm | 20 |
|---|