Content Management Systems (CMS) are popular targets for attackers due to their prevalence and frequent misconfigurations. One such vulnerability, CVE-2024-25828, affects cmseasy version V7.7.7.9. This vulnerability allows a remote attacker to delete any file on the server by exploiting insecure code in lib/admin/template_admin.php.
What Is CVE-2024-25828?
CVE-2024-25828 is an arbitrary file deletion vulnerability inside cmseasy's admin area. It lies in the template_admin.php file, where unsafe handling of the user-supplied filename allows attackers to delete files outside intended directories, including important system files.
Severity: Critical
Affected version: cmseasy V7.7.7.9
Technical Background
Within lib/admin/template_admin.php, there's code that handles file deletion for templates. However, there is insufficient sanitization of the input, which leads to a classic "arbitrary file deletion" issue sometimes called "Path Traversal."
Here's a simplified version of the code responsible
if($_GET['act'] == 'deletefile') {
$filename = $_GET['filename'];
$filepath = '../templates/' . $filename;
if(file_exists($filepath)) {
unlink($filepath);
}
// No further checks or restrictions
}
Notice how $filename comes directly from user input ($_GET['filename']) and is concatenated to the templates folder path. There are no checks to ensure that $filename doesn't include ../ (directory traversal), or that it only deletes files within the intended directory.
How the Exploit Works
Attackers can leverage directory traversal to craft malicious requests, deleting files outside the templates directory.
Suppose the attacker wants to delete the critical config.php file
GET /cmseasy/lib/admin/template_admin.php?act=deletefile&filename=../../config.php
This will resolve ../templates/../../config.php, which typically maps to /cmseasy/config.php. If the file exists and the server permissions allow, the file will be deleted.
Website config: Bricking the site
- User uploads/images: Destroying content
`bash
curl "http://target-site.com/cmseasy/lib/admin/template_admin.php?act=deletefile&filename=../../config.php"
The targeted file (config.php) will be deleted from the filesystem if permissions allow.
> Warning: Performing this on a live, non-permitted server is illegal and unethical. Use only for testing and with authorization.
Official References
- NVD entry for CVE-2024-25828
- Exploit Database: 53286
- cmseasy GitHub - old releases
## How to Fix/Defend
If you're running cmseasy V7.7.7.9, upgrade to a patched version immediately, if available.
Implement input sanitization:
- Reject any file name including .., /, or \
Patched Code Example
if($_GET['act'] == 'deletefile') {
$filename = basename($_GET['filename']); // This strips directory path
$filepath = '../templates/' . $filename;
if(file_exists($filepath) && strpos(realpath($filepath), realpath('../templates/')) === ) {
unlink($filepath);
}
}
- Using basename() strips directory traversal, and checking with realpath() ensures the file is *inside* the template directory.
Restrict admin features: Don't expose this functionality to unauthenticated users!
Conclusion
CVE-2024-25828 is a dangerous, trivial-to-exploit file deletion vulnerability in cmseasy V7.7.7.9. If you run or maintain this product, prioritize patching it immediately, and review input handling in your PHP apps.
For ongoing protection, always validate user input, especially in file operations, and follow the OWASP Secure Coding Practices.
Timeline
Published on: 02/22/2024 16:15:54 UTC
Last modified on: 08/19/2024 21:35:05 UTC