74CMS Path Traversal Vulnerability Leading to Arbitrary File Read and Remote Code Execution

A path traversal vulnerability has been identified in 74CMS versions through 3.33.0. The issue resides in the index function of the file '/index.php/index/download/index', where improper validation of the 'url' argument allows for path traversal. This vulnerability can be exploited remotely, leading to arbitrary file reads on Windows systems. Exploitation of this vulnerability could allow any user to log in and potentially execute remote code.

Impact

Successful exploitation allows for arbitrary file reads, which could be leveraged to read sensitive files such as the Windows 'win.ini' file. This vulnerability could also lead to unauthorized access and remote code execution on the server.

Reproduction

To reproduce this vulnerability, send a request to '/index.php/index/download/index' with a crafted 'url' parameter that includes path traversal sequences. The vulnerability can be demonstrated by reading the 'win.ini' file on a Windows server, which indicates successful exploitation. Additionally, arbitrary file reads could be used to access files within the MySQL data directory for 74CMS, potentially leading to remote code execution.