ZenTao File Module Privilege Escalation Vulnerability in Delete Function

A horizontal privilege escalation vulnerability has been identified in ZenTao Project Management Software versions through 21.7.6-8564. The issue resides in the file module's delete function, located in module/file/control.php. The vulnerability allows unauthorized deletion of files by manipulating the fileID parameter, bypassing object-level permission checks. This flaw can be exploited remotely, leading to arbitrary file deletion, including attachments from other users' comments.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of files, including critical comment attachments, which can disrupt the integrity of the comment system and erase important audit trail data.

Reproduction

To reproduce this vulnerability, log in with a high-privilege account that has the file-delete permission. Create a comment with an attachment, then log in with another account that also has file-delete permission. Obtain the fileID of the attachment from the first account's comment, and use it to call the file::delete() function directly, bypassing the normal permission checks. After the deletion, refresh the page to confirm that the attachment has been removed, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to upgrade to ZenTao version 21.7.7, where this vulnerability has been fixed. A patch is also available for version 21.7.6.