Vulnerability Description: When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker can leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.
Vulnerability Name: Multiple Arbitrary File Deletion
Date of Discovery: 20 July 2021
Product version: 1.2.9 Download link
Author: faisalfs10x
Vulnerability Description: When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker can leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.
Proof of Concept 1
Vulnerable URL: http://localhost/CSZCMS-V1.2.9/member/edit/save
Vulnerable Code: line 2141 - cszcms\models\Csz_model.php
Steps to Reproduce:
Proof of Concept 2
Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/editArtSave
Vulnerable Code: line 116, 131 - cszcms\models\plugin\Article_model.php
Steps to Reproduce:
Proof of Concept 3
Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/settings/update
Vulnerable Code: line 944, 958 - cszcms\models\Csz_admin_model.php
Step to Reproduce:
Thanks. cc:@cskaza
The text was updated successfully, but these errors were encountered: