e107 CMS Path Traversal Vulnerability in Avatar Handler Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in e107 CMS versions through 2.3.3, specifically within the Avatar Handler component. The issue arises in the file '/e107_admin/image.php?mode=main&action=avatar', where manipulation of the 'multiaction[]' parameter can lead to unauthorized deletion of files. This vulnerability can be exploited remotely by authenticated users, potentially causing data loss and disruption of service.

Impact

Exploitation of this vulnerability allows authenticated users to delete arbitrary files from the server, which can lead to data loss and disruption of services that rely on the deleted files.

Reproduction

To reproduce this vulnerability, log into the admin backend of an affected e107 CMS version. Navigate to the Media Manager's Avatars feature and intercept the HTTP request to 'e107_admin/image.php?mode=main&action=avatar'. Modify the 'multiaction[]' parameter to include a crafted path traversal payload, such as '..././..././..././a.txt', targeting a file for deletion. After sending the request, verify the deletion by checking the file's presence on the server.