GreenCMS Path Traversal Vulnerability in File Handler Component Allowing Arbitrary File Deletion

A path traversal vulnerability allowing arbitrary file deletion has been identified in GreenCMS versions through 2.3. The issue resides in the File Handler component, specifically within the DataController.class.php file. The vulnerability arises because the sqlFiles or zipFiles parameter does not undergo proper validation, enabling attackers to manipulate file paths and delete files across directories. This flaw can be exploited remotely, without requiring authentication, and has been publicly disclosed along with an available exploit.

Impact

Exploitation of this vulnerability allows for the deletion of any file on the server, including critical configuration and database files. Such actions can cause significant website downtime, permanent data loss, and potential breaches of user privacy, leading to legal repercussions. Additionally, the vulnerability could be exploited to disrupt server operations and damage the organization's reputation.

Reproduction

To reproduce this vulnerability, intercept a POST request to index.php?m=admin&c=data&a=delsqlfiles using a tool like Burp Suite. Modify the sqlFiles or zipFiles parameter to include a path traversal payload that navigates to a directory outside the intended scope. After creating a test file in the target directory, send the modified request. The lack of proper server-side path validation will allow the deletion of the test file, demonstrating the vulnerability.

Remediation

It is recommended to implement strict input validation for file path parameters, ensuring that only safe, predefined paths are accepted. Additionally, use secure file handling functions that prevent direct manipulation of file paths, and apply the principle of least privilege to restrict file deletion permissions to only necessary directories. Logging file deletion activities can also help monitor and audit such operations.