bg5sbk MiniCMS Improper Authentication Vulnerability in Trash File Restore Handler

A vulnerability allowing unauthorized restoration of deleted files has been identified in bg5sbk MiniCMS versions through 1.8. This issue arises from inadequate permission checks in the Trash File Restore Handler, specifically within the /minicms/mc-admin/post.php file. The vulnerability enables attackers to bypass authentication and restore deleted files, including sensitive documents and potentially malicious files, from the Recycle Bin to the Drafts folder. The flaw can be exploited remotely, without authentication, and affects various operating systems, including Windows and Linux, as well as cloud and NAS storage devices.

Impact

Exploitation of this vulnerability allows for unauthorized recovery of deleted files, bypassing established data deletion protocols and permission controls. This could lead to reinstating sensitive information, previously removed malware, or other confidential documents, causing data leaks, compliance issues, and financial repercussions. The vulnerability also poses a risk of reintroducing malware into the system, where it could spread and cause further destabilization.

Reproduction

To reproduce this vulnerability, access the backend of MiniCMS v1.8. Initiate a file restoration request from the Trash, capturing the data packet. Remove the 'mc_token' Cookie field from the request and resend the packet. The system will restore the deleted file to the Drafts folder, demonstrating the unauthorized restoration capability.

Remediation

It is recommended to enhance the authorization verification process by implementing checks for the 'mc_token' Cookie and user login status in the restoration function of /minicms/mc-admin/post.php. Only authorized administrators should be allowed to restore files. Additionally, verify that the requested file belongs to the user making the request to prevent unauthorized restorations. Users should also consider upgrading to the latest version of MiniCMS, if available.