Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug Report: Multiple Arbitrary File Deletion vulnerabilities #32

Closed
faisalfs10x opened this issue Jul 20, 2021 · 1 comment
Closed

Bug Report: Multiple Arbitrary File Deletion vulnerabilities #32

faisalfs10x opened this issue Jul 20, 2021 · 1 comment

Comments

@faisalfs10x
Copy link

faisalfs10x commented Jul 20, 2021

Vulnerability Name: Multiple Arbitrary File Deletion

Date of Discovery: 20 July 2021

Product version: 1.2.9 Download link

Author: faisalfs10x

Vulnerability Description: When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker can leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.


Proof of Concept 1

Vulnerable URL: http://localhost/CSZCMS-V1.2.9/member/edit/save
Vulnerable Code: line 2141 - cszcms\models\Csz_model.php

image

Steps to Reproduce:

  1. Login as member
  2. Goto Edit Profile
  3. Upload any image as profile picture and click save button - refresh
  4. Click "Delete File" checkbox and click save button
  5. Intercept the request and replace existing image to any files on the server via parameter "del_file".

image


Proof of Concept 2

Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/editArtSave
Vulnerable Code: line 116, 131 - cszcms\models\plugin\Article_model.php

image

Steps to Reproduce:

  1. Login as admin
  2. Goto Plugin Manager > Article > edit any article
  3. Upload any image as "Main Picture" and "File Upload" and click save button
  4. Click "Delete File" button for both "Main Picture" and "File Upload" and click save button
  5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_file2"

image


Proof of Concept 3

Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/settings/update
Vulnerable Code: line 944, 958 - cszcms\models\Csz_admin_model.php

image

Step to Reproduce:

  1. Login as admin
  2. Goto General Menu > Site Setting
  3. Upload any image as "Site Logo" and "Image of og metatag" and click save button
  4. Click "Delete File" button for both "Site Logo" and "Image of og metatag" and click save button
  5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_og_image"

image

Thanks. cc:@cskaza

@faisalfs10x faisalfs10x changed the title Bug Report: Multiple Arbitrary File Deletion vulnerability Bug Report: Multiple Arbitrary File Deletion vulnerabilities Jul 20, 2021
@cskaza
Copy link
Owner

cskaza commented Nov 10, 2021

Resolved done on next version.

@cskaza cskaza closed this as completed Nov 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants