curl -F "file=@shell.phtml" https://target.com/admin/inc/upload.php
------WebKitFormBoundary Content-Disposition: form-data; name="file"; filename="evil.php" Content-Type: text/plain
A remote attacker with Administrator privileges can manipulate file parameters within the dashboard to delete any file on the server.
: If you are running version 2.7.5, it is highly recommended to upgrade to a newer, patched version of HTMLy immediately.
The application fails to properly sanitize the file parameter in the backup/delete functionality. By providing an absolute path (e.g., /etc/passwd or index.php ), the server-side script executes the deletion command outside of the intended directory. Security Context and Comparison
