Impact

The impact of this issue that is any user with the ability to create or edit pages is able to also delete files from the file system. This can be done when deleting media from a page's content.

In the case of the request, a base64 String can be replaced with another one containing a path of a file on the system, that will subsequently be deleted.

Any files within the webroot are targetable and could be deleted to compromise the integrity of the application. Similarly, files outside of the webroot scope could be targeted with malicious intent.

References

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion

For more information

please contact contact@pentest.co.uk