CVE-2022-29720: 74cmsSE v3.5.1 Arbitrary file read · Issue #1 · PAINCLOWN/74cmsSE-Arbitrary-File-Reading

Vulnerability Name: Arbitrary File Read

Date of Discovery: 21/4/2022

Product version：74cmsSE_v3.5.1

Download link：http://www.74cms.com/downloadse/show/id/68.html

Vulnerability Description:

Arbitrary file reading is a kind of file operation vulnerability, generally arbitrary file reading vulnerability can read configuration information and even important files of the system. In severe cases, it may cause SSRF to roam to the intranet.

Causes of vulnerabilities:

The path to read the file is user-controllable and is not checked or checked strictly

Code Analysis:
In \upload\application\index\controller\Download.php at line 10, there is a file manipulation function where the $url is passed in the code, but there is no filtering, and $ourput_filename is the filename to be output. so we can take advantage of: …/(Returns the parent directory) Reads the server file.

Prove:

payload:
/index.php/index/download/index?name=index.php&url=…/…/application/database.php

Read the site database configuration file

And other file
payload:
/index.php/index/download/index?name=index.php&url=…/…/…/…/…/…/…/etc/passwd

Fix suggestion: Purify data: hard-code or uniformly encode the file name parameters passed by the user, whitelist control of the file types, and reject parameters that contain malicious characters or null characters.