Sketch
File deletion vulnerability.There is no filterling for get parameter when we want to delete the backup of database files.So we can delete any file or dir.we can also delete the lock of installation.
Reappearance
Download the latest version and install it from official website.
Login administrator interface and locate this url,then choice Database file backup.
http://www.test.com/admin/index.php?m=database
the backup dir is located in /data/plus/bdata
created a new dir named 123
,and create a new file named 1.txt
then visit http://www.test.com/admin/index.php?m=database&c=backin
catch the data packet,then modify parameter sql
to ../123
forward it and we amazedly find the dir 123
has been deleted
Explain
The Vulnerable code is located in V4.6_20180920,/admin/model/database.class.php
in function del_action()
Line 111 check token to avoid csrf.Line 112-113 get the parameter sql
to complement the path.Line 114-118 get all the dir and subdir then delete them.
The filterling of get parameter is not strick.../
can pass it.The filterling of get parameter is located in db.safety.php