Headline
CVE-2021-36425: Arbitrary file deletion vulnerability · Issue #311 · slackero/phpwcms
Directory traversal vulnerability in phpcms 1.9.25 allows remote attackers to delete arbitrary files via unfiltered $file parameter to unlink method in include/inc_act/act_ftptakeover.php file.
在include/inc_act/act_ftptakeover.php 334行中,传入unlink方法的变量$file并未做过滤,导致可以使用…/这种形式进行目录穿越删除任意文件。
In the 334 line of include/inc_act/act_ftptakeover.php, the variable file passed in the unlink method is not filtered, so that the form of …/ can be used for directory traversal to delete any $file.
漏洞复现:
Vulnerability recurrence:
登录访问后台页面http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8
首先上传文件后,选中第一个文件,点击take over selected files
Login to visit the background page http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8
After uploading files first, select the first file and click take over selected files
使用burpsuite抓包,修改第一个文件的字段段属性,对内容进行base64解码修改为…/.htaccess并再次编码,尝试删除根目录下_.htaccess文件
Use burpsuite to capture packets, modify the field attributes of the first file, base64 decode the content, modify it to …/.htaccess and encode it again, try to delete the _.htaccess file in the root directory
调试查看变量值
Debug to view variable values
文件被成功删除
The file was successfully deleted
修复建议:
1.过滤…/等特殊字符。
2.限制目录访问权限。
Repair suggestions:
- Filter …/ and other special characters.
- Restrict directory access permissions.