| 标题 | https://code-projects.org/ Online Bidding System In PHP With Source Code 1.0 Arbitrary File Upload |
|---|
| 描述 | The application does not properly validate uploaded files. In functions.php, the file upload logic only checks file size, without validating file extension, MIME type, content, or applying server-side filtering.
Because file names and file content are both not validated, an attacker can upload:
.php webshell
files containing injected HTML/JS (Stored XSS)
overwrite existing files if there is no randomness
This leads to remote code execution (RCE) on the server. |
|---|
| 来源 | ⚠️ https://github.com/Yohane-Mashiro/cve/blob/main/upload%201.md |
|---|
| 用户 | Yohane-Mashiro (UID 92825) |
|---|
| 提交 | 2025-11-20 16時59分 (5 月前) |
|---|
| 管理 | 2025-11-23 08時48分 (3 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 333338 [code-projects Online Bidding System 1.0 addcategory.php categoryadd catimage 权限提升] |
|---|
| 积分 | 20 |
|---|