CVE-2021-46820: Security Bug: Arbitrary File Deletion in Admin Panel · Issue #1 · XOS-Shop/xos_shop_system

Hi @hpzeller , I found a file deletion vulnerability in the admin function module

Vulnerability Name: Arbitrary File Deletion in Admin Panel

Date of Discovery: 25 July 2021

Product version: v1.0.9

Vulnerability Description: Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker can leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.