File deletion vulnerability.There is no filterling for get parameter when we want to delete the backup of database files.So we can delete any file or dir.we can also delete the lock of installation.
Download the latest version and install it from official website.
Login administrator interface and locate this url,then choice Database file backup.
the backup dir is located in
created a new dir named
123,and create a new file named
catch the data packet,then modify parameter
forward it and we amazedly find the dir
123 has been deleted
The Vulnerable code is located in V4.6_20180920,
Line 111 check token to avoid csrf.Line 112-113 get the parameter
sql to complement the path.Line 114-118 get all the dir and subdir then delete them.
The filterling of get parameter is not strick.
../ can pass it.The filterling of get parameter is located in