Hi @Awilum,
I would like to report some security vulnerabilities that I found in MonstraCMS, can you guide me how to disclose them. Should I create a new issue or should I email the details?
The text was updated successfully, but these errors were encountered:
Vulnerability description
Monstra CMS 3.0.4 allows remote attackers to delete files via an
admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.
Vulnerability Type
Insecure Permissions
Expected Behavior
deleted uploads folder
Steps to Reproduce
1、Log in as a user with page editing permissions
2、Request http://your_site/admin/index.php?id=filesmanager&delete_dir=./&path=uploads
Possible Solutions
Strictly filter the delete_dir parameter and replace './' with '_/'
Hi @Awilum,
I would like to report some security vulnerabilities that I found in MonstraCMS, can you guide me how to disclose them. Should I create a new issue or should I email the details?
The text was updated successfully, but these errors were encountered: