Security Issue： arbitrary file deletion vulnerability in “\system\admin\views\backup.html.php”

[wszdhf]

Hi there,
I found an arbitrary file deletion vulnerability in Htmly.
Proof of Concept:
tested on Windows7 and Htmly version 2.8.1 and 2.8.0
1. Log in to the dashboard，click Tools -->Backup-->create backup to create backup.
2. Arbitrary file deletion: click Delete and modify the file parameter.
payload: GET /htmly1/admin/backup?file=htmly_2021-05-12-09-33-30.zip/../../../../../../windows/win.ini&submit=Delete

[danpros]

Hello,

Are you sure it can delete file outside the backup folder?

I already specify:

if (login()) {
    if (isset($_GET['file'])) {
        $file = _h($_GET['file']);

        if (!empty($file)) {
            unlink("backup/$file");
        }

    }
}

So it always check if the user login or not and than always search the file inside backup folder in htmly installations folder.

[ProjectPatatoe]

I just confirmed this on a ubuntu/apache2. I am able to delete a file in htmly's root directory.

[wszdhf]

Hello,

Are you sure it can delete file outside the backup folder?

I already specify:

if (login()) {
    if (isset($_GET['file'])) {
        $file = _h($_GET['file']);

        if (!empty($file)) {
            unlink("backup/$file");
        }

    }
}

So it always check if the user login or not and than always search the file inside backup folder in htmly installations folder.

yes，it can delete file outside the backup folder. As shown in the above picture,i can delete "C:\Windows\win.ini".
you can read this： https://portswigger.net/web-security/file-path-traversal

[danpros]

Thanks @wszdhf for the report and @ProjectPatatoe for the pull request.