Rhymix Arbitrary File Deletion Vulnerability in Admin File Controller

An arbitrary file deletion vulnerability has been identified in Rhymix version 2.1.22. The issue arises in the 'procFileAdminEditImage' method of the 'file.admin.controller.php' file. This vulnerability allows for the deletion of server files by exploiting the 'file_srl' parameter, which can be manipulated to traverse directories and target specific files for removal.

Impact

Exploitation of this vulnerability could lead to the unauthorized deletion of critical server files, potentially disrupting system operations. If an administrator or someone with admin token access exploits this vulnerability, it could be used to delete essential files and harm the system's functionality.

Reproduction

To reproduce this vulnerability, send a crafted POST request to the '/admin/?module=file&act=procFileAdminEditImage' endpoint. Include a 'file_srl' parameter that specifies a file path using directory traversal techniques, such as '../../../../../1.txt'. The request must also contain valid admin cookies and a CSRF token. Once the request is sent, the file at the specified path will be deleted, demonstrating the vulnerability.