search

vedees / wcms

🖖 Best CMS for landing-page
Apache License 2.0
255 stars 51 forks source link

BUG:A Arbitrary File Reading Vulnerability in wex/cssjs.php #3

Open GodEpic opened 5 years ago

GodEpic commented 5 years ago

A Arbitrary File Reading Vulnerability in wex/cssjs.php There is a vulnerability that can read and modify any files to getshell. Affected software:WCMS V0.3.2

poc: use ../ to directory traversal vulnerability. I can read config.php get admin account. /wex/cssjs.php?path=..//wcms/config.php&type=css image

I can still do it. image image

Now let's modify this file.

image Click Save image success!

so I can modify php file to getshell. That Access without login. image image

Source code: wex/cssjs.php image We can see there are not filtering with '../' , that’s why make directory traversal vulnerability.

cryptoprof commented 5 years ago

Hello. I have maid some changes to project structure. I have added check for realpath. I have tested your examples now, probably all fixed, please check. I'm only start this fork, so I would fix next issues, when I have free time. https://github.com/cryptoprof/wcms/tree/feature/securityFix