MuYuCMS Directory Traversal Vulnerability in Template Management Component

A directory traversal vulnerability has been identified in MuYuCMS version 2.7, specifically within the template management feature. The issue resides in the 'delete_dir_file' function of the 'Template.php' controller, located in 'application/admin/controller/'. This vulnerability allows authenticated attackers to manipulate the 'temn' and 'tp' parameters, exploiting the lack of input validation and path sanitization. By including directory traversal sequences, attackers can escape the intended template directory and target arbitrary files on the server. The exploitation of this vulnerability leads to the recursive deletion of critical system files, causing permanent data loss, denial of service, and potential privilege escalation.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion, with the potential to remove critical system files, security configurations, and application data, leading to a denial of service and privilege escalation.

Reproduction

To reproduce this vulnerability, send a POST request to '/admin/template/tempdel' with the 'temn' parameter set to 'home_temp' and the 'tp' parameter manipulated to include directory traversal sequences, such as '../../../config/database.php'. This will exploit the path traversal vulnerability, allowing access to files outside the intended directory.

Remediation

It is recommended to add path validation before file deletion. Ensure that the target path is checked against a list of allowed directories to prevent unauthorized access to sensitive files.