MRCMS Path Traversal Vulnerability in File Deletion Function

A critical path traversal vulnerability has been identified in MRCMS version 3.1.2. The issue arises in the file deletion function of the FileController component, specifically within the admin file management interface. By manipulating the path or name arguments, it is possible to traverse directories and delete arbitrary files from the server. This vulnerability can be exploited remotely and does not require authentication.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of files, potentially disrupting website functionality or causing data loss.

Reproduction

To reproduce this vulnerability, log into the MRCMS backend as an administrator. Upload a test image through the file management section. Once the image is uploaded, send a request to the '/admin/file/delete.do' endpoint, including the manipulated path or name argument that points to the uploaded file. The absence of a cookie value in the request will bypass authentication, resulting in the deletion of the specified file.

Remediation

It is recommended to implement proper access control checks on the file deletion interface to ensure that only authorized users can delete files. Following the principle of least privilege, any request that fails the access control check should be terminated immediately.