Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types (.jpg, .png, .gif, .jpeg, and .ico).
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
HisiPHP 跨站请求伪造漏洞
Vulnerability Description
HisiPHP是一套基于ThinkPHP和Layui的快速开发框架,它集成了权限管理、模块管理、插件管理和数据库管理等功能。 HisiPHP 1.0.8版本中存在跨站请求伪造漏洞,该漏洞源于admin.php/admin/user/adduser.html脚本未能妥当地验证用户提交的输入。远程攻击者可通过发送畸形的HTTP请求利用该漏洞添加管理员账户,进而执行任意PHP代码。
CVSS Information
N/A
Vulnerability Type
N/A