-
-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Issue: arbitrary file deletion vulnerability in “\system\admin\views\backup.html.php” #462
Comments
Hello, Are you sure it can delete file outside the backup folder? I already specify:
So it always check if the user login or not and than always search the file inside backup folder in htmly installations folder. |
I just confirmed this on a ubuntu/apache2. I am able to delete a file in htmly's root directory. |
yes,it can delete file outside the backup folder. As shown in the above picture,i can delete "C:\Windows\win.ini". |
Thanks @wszdhf for the report and @ProjectPatatoe for the pull request. |
Hi there,
I found an arbitrary file deletion vulnerability in Htmly.
Proof of Concept:
tested on Windows7 and Htmly version 2.8.1 and 2.8.0
1. Log in to the dashboard,click Tools -->Backup-->create backup to create backup.
2. Arbitrary file deletion: click Delete and modify the file parameter.
payload: GET /htmly1/admin/backup?file=htmly_2021-05-12-09-33-30.zip/../../../../../../windows/win.ini&submit=Delete
The text was updated successfully, but these errors were encountered: