PHP Scripts Mall Medical Store Script 3.0.3 has Path Traversal:[CVE-2019-9607]

Vulnerability Description => The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

< < < How to Exploit > > >

1. Go to Medical Store Script site (
⇓ ⇓ ⇓ ⇓

2. Open Burpsuit then intercept and spider the data.
⇓ ⇓ ⇓ ⇓

3. Now use the burp search option and search jpg or png
⇓ ⇓ ⇓ ⇓

4. Now pick any link and select show response in the browser
⇓ ⇓ ⇓ ⇓

5. Then delete the last part of URL [after last forward slash] (×400.jpg)
⇓ ⇓ ⇓ ⇓

6. You will get all The file lists (Directory listing)
⇓ ⇓ ⇓ ⇓

*** Also can check it by copy any picture URL and remove last part. ***


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

Create your website at
Get started
%d bloggers like this: