Arbitrary file deletion vulnerability was found in v2.7.5.Hackers need administrator rights and they can use any absolute directory to delete any file in the server.
Steps to reproduce the problem
Using GitHub source code to build the local environment.
PHP7.3 Apache2.4 Windows10
Enter the backup page.Create a backup and delete it. At the same time, use burpsuite to capture the package.
Enter the absolute path of the file you want to delete here.
The relative path is OK
The file has been deleted.
I think there's something wrong with the code here.
\system\admin\views\backup-start.html.php
<?php
if (login()) {
if (isset($_GET['file'])) {
$file = _h($_GET['file']);
if (!empty($file)) {
unlink($file);
}
}
}
?>
It does not control the path entered by the user, nor does it detect whether the file belongs to backup
The text was updated successfully, but these errors were encountered:
Thanks for reporting this, yes we need to limit it to the backup folder. But at least at the moment we need the administrator permission to do that so is relativity safe.
You can creating pull request to improve those code.
Vulnerability description
Arbitrary file deletion vulnerability was found in v2.7.5.Hackers need administrator rights and they can use any absolute directory to delete any file in the server.
Steps to reproduce the problem
Using GitHub source code to build the local environment.

PHP7.3 Apache2.4 Windows10
Enter the backup page.Create a backup and delete it. At the same time, use burpsuite to capture the package.
Enter the absolute path of the file you want to delete here.


The relative path is OK
The file has been deleted.
I think there's something wrong with the code here.
\system\admin\views\backup-start.html.php
It does not control the path entered by the user, nor does it detect whether the file belongs to backup
The text was updated successfully, but these errors were encountered: