Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary file deletion vulnerability was found in v2.7.5 #412

Closed
whiskey-jj opened this issue Jul 2, 2020 · 2 comments
Closed

Arbitrary file deletion vulnerability was found in v2.7.5 #412

whiskey-jj opened this issue Jul 2, 2020 · 2 comments

Comments

@whiskey-jj
Copy link

Vulnerability description

Arbitrary file deletion vulnerability was found in v2.7.5.Hackers need administrator rights and they can use any absolute directory to delete any file in the server.

Steps to reproduce the problem

Using GitHub source code to build the local environment.
PHP7.3 Apache2.4 Windows10
image

Enter the backup page.Create a backup and delete it. At the same time, use burpsuite to capture the package.

image

Enter the absolute path of the file you want to delete here.
The relative path is OK
image
The file has been deleted.
image

I think there's something wrong with the code here.
\system\admin\views\backup-start.html.php

<?php
if (login()) {
    if (isset($_GET['file'])) {
        $file = _h($_GET['file']);

        if (!empty($file)) {
            unlink($file);
        }

    }
}
?>

It does not control the path entered by the user, nor does it detect whether the file belongs to backup

@danpros
Copy link
Owner

danpros commented Jul 4, 2020

Hello,

Thanks for reporting this, yes we need to limit it to the backup folder. But at least at the moment we need the administrator permission to do that so is relativity safe.

You can creating pull request to improve those code.

@danpros
Copy link
Owner

danpros commented Jan 22, 2021

I am limiting the unlink to backup folder. 2b147eb

It should fixed the problems.

Thanks,

@danpros danpros closed this as completed Jan 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants