wcms icon indicating copy to clipboard operation
wcms copied to clipboard

Published 20 hours ago verified publisher icon vedees

BUG:A Arbitrary File Reading Vulnerability in wex/cssjs.php

Open GodEpic opened this issue 6 years ago • 1 comments

A Arbitrary File Reading Vulnerability in wex/cssjs.php There is a vulnerability that can read and modify any files to getshell. Affected software:WCMS V0.3.2

poc: use ../ to directory traversal vulnerability. I can read config.php get admin account. /wex/cssjs.php?path=..//wcms/config.php&type=css image

I can still do it. image image

Now let's modify this file.

image Click Save image success!

so I can modify php file to getshell. That Access without login. image image

Source code: wex/cssjs.php image We can see there are not filtering with '../' , that’s why make directory traversal vulnerability.

GodEpic avatar Jul 14 '19 15:07 GodEpic

Hello. I have maid some changes to project structure. I have added check for realpath. I have tested your examples now, probably all fixed, please check. I'm only start this fork, so I would fix next issues, when I have free time. https://github.com/cryptoprof/wcms/tree/feature/securityFix

cryptoprof avatar Jul 27 '19 16:07 cryptoprof