| 标题 | SeaCMS 13.5 Arbitrary File Read |
|---|
| 描述 | Title: SeaCMS V13.5 arbitrary file read in admin_safe.php
Affected Product: SeaCMS V13.5
Vulnerability Type: Arbitrary File Read / Path Traversal
Description:
The download action in admin/admin_safe.php uses the user-controlled file parameter directly in file_exists() and file_get_contents() without path validation or directory restrictions. An authenticated attacker can read arbitrary local files on the server, including configuration files and credentials.
Proof of Concept:
http://127.0.0.1/SeaCMS_V13.5_install/4hwhx9/admin/admin_safe.php?action=download&file=../data/common.inc.php
Impact:
Disclosure of database credentials, SMTP credentials, and other sensitive local files. This may lead to full application compromise.
Suggested Fix:
Restrict file access to a safe allowlist directory, normalize paths with realpath(), reject traversal, and remove arbitrary file download functionality.
关键证据代码
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
{
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"".basename($file)."\"");
echo file_get_contents($file);
}
exit();
} |
|---|
| 来源 | ⚠️ http://127.0.0.1/xxx/admin/admin_safe.php?action=download&file=../data/common.inc.php |
|---|
| 用户 | july-skyload (UID 97596) |
|---|
| 提交 | 2026-05-19 08時58分 (23 日前) |
|---|
| 管理 | 2026-06-05 09時02分 (17 days later) |
|---|
| 状态 | 重复 |
|---|
| VulDB条目 | 297630 [SeaCMS 13.3 admin_safe.php file_get_contents 目录遍历] |
|---|
| 积分 | 0 |
|---|