SourceCodester Modern Image Gallery App Path Traversal Vulnerability in delete.php

A path traversal vulnerability has been identified in SourceCodester Modern Image Gallery App version 1.0, specifically within the delete.php file. The issue arises because the application does not properly validate the filename parameter in POST requests. This lack of validation allows unauthenticated attackers to manipulate the filename argument, leading to the deletion of arbitrary files on the server. The vulnerability can be exploited remotely, and a proof-of-concept exploit is publicly available.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server. This could include critical application files such as config.php, which contains database credentials, or other important files like .htaccess and index.php. Deleting config.php, for example, would cause the application to fail, as all PHP scripts rely on it being present. Additionally, if the web server has elevated permissions, there could be potential for privilege escalation by targeting sensitive system files.

Reproduction

To reproduce this vulnerability, send a POST request to delete.php with an id parameter and a filename parameter that includes a path traversal sequence, such as '../config.php'. The server will respond indicating that the file has been deleted, but this will actually break the application by causing a PHP error due to the missing config.php file.