You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The latest patch V1.3.0 of NoneCMS has a directory traversal vulnerability in application/admin/controller/Main.php. The vulnerability allows remote authenticated users to delete arbitrary files by leveraging back-office access to provide a ..\ in the path parameter which prefixes with /upload/.
We can see that the patching measure is to check if the path parameter's value prefixes with '/uploads/'. But we can still bypass it by adding the '/uploads/' prefix in combination with '..\' to implement directory traversal attack which can delete arbitrary files.
Before sending payload, we create a test.txt in this directory:
When we send payload, the test.txt file is deleted:
The text was updated successfully, but these errors were encountered:
ghost
changed the title
NoneCMS V1.3.0 with latest patch has a directory traversal vulnerability
The latest patch V1.3.0 of NoneCMS has a directory traversal vulnerability
Jun 3, 2020
The latest patch V1.3.0 of NoneCMS has a directory traversal vulnerability in application/admin/controller/Main.php. The vulnerability allows remote authenticated users to delete arbitrary files by leveraging back-office access to provide a ..\ in the path parameter which prefixes with /upload/.
In order to fix CVE-2018-6022, the NoneCMS author made the following changes to the file application\admin\controller\Main.php: ff3fc6d#diff-0eaf9046c434434ca7b2b0d5e0fa0293
We can see that the patching measure is to check if the path parameter's value prefixes with '/uploads/'. But we can still bypass it by adding the '/uploads/' prefix in combination with '..\' to implement directory traversal attack which can delete arbitrary files.
So PoC is as follows:
Before sending payload, we create a test.txt in this directory:
When we send payload, the test.txt file is deleted:
The text was updated successfully, but these errors were encountered: