CVE-2026-3695
Path Traversal in SourceCodester Modern Image Gallery /delete.php
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| remyandrade | modern_image_gallery_app | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3695 is a path traversal vulnerability in SourceCodester Modern Image Gallery App version 1.0, specifically in the delete.php script.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application uses the filename parameter from a POST request directly in the file deletion function without any validation or sanitization.'}, {'type': 'paragraph', 'content': "The code concatenates the string 'images/' with the user-supplied filename and passes this to the unlink() function, allowing an unauthenticated attacker to delete arbitrary files on the server."}, {'type': 'paragraph', 'content': 'Attackers can include path traversal sequences like "../" in the filename to delete files outside the intended directory.'}, {'type': 'paragraph', 'content': 'A proof of concept shows that sending a POST request with parameters id=1 and filename=../config.php results in deletion of the config.php file, causing HTTP 500 errors and denial of service.'}] [1, 3]
How can this vulnerability impact me? :
This vulnerability allows attackers to delete arbitrary files on the server that the web server has write access to.
- Arbitrary File Deletion: Critical files such as config.php (containing database credentials), .htaccess (server configuration), and index.php (application entry point) can be deleted.
- Denial of Service (DoS): Deleting essential files causes the application to fail and return HTTP 500 Internal Server Errors.
- Secondary Attack Facilitation: Attackers can delete access control files, logs, or audit trails to cover their tracks or bypass authentication.
- Potential Privilege Escalation: If the web server runs with elevated privileges, attackers could delete sensitive system files such as /etc/passwd or SSH keys.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the delete.php script that include the filename parameter with path traversal sequences such as "../". An example detection method is to look for HTTP POST requests targeting delete.php with filename parameters containing directory traversal patterns.'}, {'type': 'paragraph', 'content': 'A practical approach is to use network monitoring or web server logs to identify such requests. For example, using command-line tools like grep on web server access logs to find suspicious requests:'}, {'type': 'list_item', 'content': 'grep "POST /delete.php" /var/log/apache2/access.log | grep "filename=.."'}, {'type': 'list_item', 'content': 'tcpdump or Wireshark filters to capture HTTP POST requests to delete.php and inspect the payload for filename parameters containing "../"'}, {'type': 'paragraph', 'content': 'Additionally, scanning for the presence of the vulnerable application by searching for URLs containing "delete.php" can help identify potential targets on your network.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include sanitizing and validating the filename parameter in the delete.php script to prevent path traversal attacks.'}, {'type': 'paragraph', 'content': 'Specifically, implement the following in the code:'}, {'type': 'list_item', 'content': 'Use basename() to strip directory components from the filename.'}, {'type': 'list_item', 'content': 'Filter the filename to allow only safe characters (e.g., alphanumeric, dots, underscores, hyphens) using a regular expression.'}, {'type': 'list_item', 'content': 'Use realpath() to ensure the resolved file path is within the intended images directory before deleting.'}, {'type': 'paragraph', 'content': 'Example secure code snippet:'}, {'type': 'paragraph', 'content': "```php\n$filename = basename($_POST['filename']);\n$filename = preg_replace('/[^a-zA-Z0-9._-]/', '', $filename);\n$image_path = 'images/' . $filename;\nif (file_exists($image_path) && strpos(realpath($image_path), realpath('images/')) === 0) {\n unlink($image_path);\n}\n```"}, {'type': 'paragraph', 'content': 'If patching is not immediately possible, consider restricting access to delete.php via network controls or web server configuration to trusted users only.'}] [3]