New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Arbitrary File Delete - Security #978
Comments
|
Hi, |
|
Source /bl-kernel/ajax/upload-profile-picture.php: The deleted file path is $_POST['username'].'.'.pathinfo($_FILES['profilePictureInputFile']['name'], PATHINFO_EXTENSION); payload: |
|
Hi, I changed the code to check the image extension and check if the username has a directory separator. Do you have a better solution in mind ? |



Hi There.
I found Bludit v3.8.1 allows remote attackers to delete arbitrary files via /admin/ajax/upload-profile-picture.
payload:
then the file /bl-content/databases/site.php will be deleted.
The text was updated successfully, but these errors were encountered: