Headline
CVE-2021-25856: Arbitrary file deletion vulnerability · Issue #1 · pcmt/superMicro-CMS
An issue was discovered in pcmt superMicro-CMS version 3.11, allows attackers to delete files via crafted image file in images.php.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
gift89a opened this issue
Jan 14, 2021
· 2 comments
Closed
Arbitrary file deletion vulnerability #1
gift89a opened this issue
Jan 14, 2021
· 2 comments
Comments
Vulnerability exploitation conditions: Log in to the management background
Vulnerable code: superMicro-CMS-main/admin/images.php line:151
` if (array_key_exists('submit2’, $_POST)) { // Delete
$imagename = trim($_POST['delete']);
$delete = '../img/' . $imagename; //**$imagename, User controllable parameters**
// $disallowed = array('img-loading.gif', 'nav-icon.jpg');
if (strlen($imagename) < 1) {
$problem = TRUE;
$response = '<em>No image filename was entered.</em>';
}
// Admin images moved to admin
if (($imagename == 'og.jpg') || ($imagename == 'bg_footer.gif') || ($imagename == 'bg_footer_monochrome.gif')) {
$problem = TRUE;
$response = "<em>The default images can't be deleted. Maybe upload a new one (<b>og.jpg</b> must be 200 pixels square).</em>";
}
if (!$problem) {
if (file_exists($delete)) {
unlink($delete); //**Unfiltered, can directly all files**
$response = '<em>Success. <b>' . $imagename . '</b> was deleted.</em>';
} else {
$response = '<em>Image <b>' . $imagename . '</b> doesn\'t exist. Try another.</em>';
}
}
}`
Vulnerability POC:
Thanks for that too. Will do it.
Changes made. Thanks again.
2 participants