edit-icon download-icon

Arbitrary file download vulnerability

Last Updated: May 07, 2018

Description

Some websites may provide file viewing or download functionality because of business needs. If you do not limit user from viewing or downloading files, a malicious user may attempt to view or download any file from your server.

Attackers may construct malicious requests to download sensitive files from the server, and further embed website webshell files to control the website server host.

Fix

  • Update the CMS or plug-in you are using to the latest version.

  • Delete the file with the vulnerability if it is no longer being used.

    Note: Make a backup before deleting the file.

Thank you! We've received your feedback.