路漫漫其修远兮

yccms - Directory Traversal

2019.06.14

Vulnerability Report: yccms 3.3 Directory Traversal

This paper describes yccms(yccms is a PHP version of lightweight CMS station building system, the program page design is simple, generate static html, powerful background functions, conducive to optimization, super-strong collection, super-strong ranking, suitable for keyword ranking, Taobao guest program, is an ideal choice for individuals and enterprises to build a station.

Directory traversal vulnerability in the project, delete, deletesite, deleteAll function’s improper judgment of the request parameters, triggering a directory traversal vulnerability

Test Environment

  • yccms: 3.3 website: http://www.yccms.net/
  • php: 7.2.9
  • os and hardware: Mac OS X 10_12_6

Vulnerability Location

The vulnerability lies in the delete, deletesite, deleteAll function in the yccms_v3.3/controller/BackupAction.class.php file, which delete file by the give filename

In the three functions, receiving the front-end to file ename parameters, and then using the function unlink to delete directly, malicious attackers can give file ename malicious parameters, such as: ../../etc/passwd, which will directly delete the system key files.

	//删除一个数据库备份
	public function delete(){
		$filename = $_GET['filename'];
		@unlink(ROOT_PATH.'/public/backup/data/'.$filename);
		Tool::alertLocation(null, '?a=backup&m=backlist');
		
	}
	public function deletesite(){
		$filename = $_GET['filename'];
		@unlink(ROOT_PATH.'/public/backup/site/'.$filename);
		Tool::alertLocation(null, '?a=backup&m=site');
	
	}
	//批量删除数据库备份
	public function deleteAll(){
		if(validate::isNullString($_POST['filename'])) tool::layer_alert('请选择要删除的备份文件!','?a=backup&m=backlist',7);
		$filename = $_POST['filename'];
		foreach ($filename as $_value){
			@unlink(ROOT_PATH.'/public/backup/data/'.$_value);
		}
		Tool::alertLocation(null, '?a=backup&m=backlist');
	
	}

Local Test

Enter the management background, in the database backup list, click Delete to delete the given filename file

avatar

Using burpsuite tool, modify filename as ../../../../.. /../win.ini to delete files across directories

avatar

Summary

this paper verifies the directory traversal vulnerability in the function of delete, deletesite, deleteAllin yccms ver3.3 through local tests.

发表评论