Vulnerability Name: Multiple Arbitrary File Deletion

Product version: 2.5.7 Download link

file location:/user/licence_save.php,/user/ztconfig.php,/user/zssave.php Vulnerability Description: When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker can leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.

Proof of Concept 1

Vulnerable URL:/user/licence_save.php Vulnerable Code: line 22 we just need post id as param and then use unlink to delete the file as long as the file exists(the base dir is ../),for example,we can delete install.lock

Proof of Concept 2

Vulnerable URL:/user/ztconfig.php Vulnerable Code: line 68

exp

POST /user/ztconfig.php?action=modify 
oldimg=install/install.lock

Proof of Concept 3

Vulnerable URL:/user/zssave.php Vulnerable Code: line 114 this base dir is ./ so exp

POST /user/zssave.php
action=modify&oldimg=../install/install.lock

Vulnerability Name: Multiple Arbitrary File Deletion

Date of Discovery: 30 August 2021

Product version: 2.5.7 Download link

Author: hibiki-sama

Vulnerability Description: When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker can leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.

Proof of Concept 1

Vulnerable URL: /user/ppsave.php Vulnerable Code: line 68 - kanacms\user

It can be found that there is no verification, just judge whether it is the same as the previous or default, and then use unlink to delete the file as long as the file exists

Therefore, the vulnerability analysis and utilization are very simple

We deleted the installed lock file / install / install.lock

Proof of Concept 2

Vulnerable URL: /user/adv.php Vulnerable Code: line 77 - kanacms\user/adv.php

There is an arbitrary file deletion vulnerability. I have to say that the system is really problematic in judging this

The file causing the problem is in / user / adv.php

It is also a problem caused by the comparison between oldimg and img

Similar to the above analysis, it only judges whether it is the same as the original, and then splices.. / and directly calls unlink, so the use is also very simple

Just delete the hidden of the form attribute in HTML, and then directly enter the file name you want to delete

Our staff noticed that SQL injection was generated in / company / search.php due to controllable function name. Now we are trying our best to repair it