Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary file deletion vulnerability #311

Closed
AirSkye opened this issue Jul 2, 2021 · 1 comment
Closed

Arbitrary file deletion vulnerability #311

AirSkye opened this issue Jul 2, 2021 · 1 comment

Comments

@AirSkye
Copy link

AirSkye commented Jul 2, 2021

include/inc_act/act_ftptakeover.php 334行中,传入unlink方法的变量$file并未做过滤,导致可以使用../这种形式进行目录穿越删除任意文件。
In the 334 line of include/inc_act/act_ftptakeover.php, the variable file passed in the unlink method is not filtered, so that the form of ../ can be used for directory traversal to delete any $file.

image
image

漏洞复现:
Vulnerability recurrence:
登录访问后台页面http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8
首先上传文件后,选中第一个文件,点击take over selected files
Login to visit the background page http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8
After uploading files first, select the first file and click take over selected files

image

使用burpsuite抓包,修改第一个文件的字段段属性,对内容进行base64解码修改为../_.htaccess并再次编码,尝试删除根目录下_.htaccess文件
Use burpsuite to capture packets, modify the field attributes of the first file, base64 decode the content, modify it to ../_.htaccess and encode it again, try to delete the _.htaccess file in the root directory

image
image
image

调试查看变量值
Debug to view variable values

image

文件被成功删除
The file was successfully deleted

image

修复建议:
1.过滤../等特殊字符。
2.限制目录访问权限。

Repair suggestions:

  1. Filter ../ and other special characters.
  2. Restrict directory access permissions.
@slackero
Copy link
Owner

slackero commented Jul 4, 2021

So old problems at all, thanks for finding and reporting this. It's rarely a real problem because only editors have access but anyway it shouldn't be possible in any case.

@slackero slackero closed this as completed Jul 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants