| Title | SeaCMS 13.5 Arbitrary File Read |
|---|
| Description | Title: SeaCMS V13.5 arbitrary file read in admin_safe.php
Affected Product: SeaCMS V13.5
Vulnerability Type: Arbitrary File Read / Path Traversal
Description:
The download action in admin/admin_safe.php uses the user-controlled file parameter directly in file_exists() and file_get_contents() without path validation or directory restrictions. An authenticated attacker can read arbitrary local files on the server, including configuration files and credentials.
Proof of Concept:
http://127.0.0.1/SeaCMS_V13.5_install/4hwhx9/admin/admin_safe.php?action=download&file=../data/common.inc.php
Impact:
Disclosure of database credentials, SMTP credentials, and other sensitive local files. This may lead to full application compromise.
Suggested Fix:
Restrict file access to a safe allowlist directory, normalize paths with realpath(), reject traversal, and remove arbitrary file download functionality.
关键证据代码
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
{
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"".basename($file)."\"");
echo file_get_contents($file);
}
exit();
} |
|---|
| Source | ⚠️ http://127.0.0.1/xxx/admin/admin_safe.php?action=download&file=../data/common.inc.php |
|---|
| User | july-skyload (UID 97596) |
|---|
| Submission | 05/19/2026 08:58 (22 days ago) |
|---|
| Moderation | 06/05/2026 09:02 (17 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 297630 [SeaCMS 13.3 admin_safe.php file_get_contents path traversal] |
|---|
| Points | 0 |
|---|