CTCMS Content Management System Path Traversal Vulnerability Leading to Arbitrary File Deletion

A critical path traversal vulnerability has been identified in CTCMS Content Management System version 2.1.2. The issue resides in the file handler component, specifically within the del function of ctcms/apps/controllers/admin/Tpl.php. The vulnerability allows for arbitrary file deletion by manipulating the file parameter to traverse outside the intended directory and delete sensitive files, such as configuration or core system files. This exploitation can lead to severe consequences, including website crashes, forced reinstalls, exposure of sensitive information, or complete system compromise.

Impact

Exploitation of this vulnerability allows authenticated users to delete arbitrary files on the server, including critical system and configuration files. This can cause the website to crash, disrupt normal operations, and potentially lead to a complete system compromise.

Reproduction

To reproduce this vulnerability, log into the CTCMS management backend and navigate to the template management section. Intercept the request to delete a template using Burp Suite or a similar tool. Modify the file parameter to include a payload that exploits the path traversal vulnerability, targeting a sensitive file such as install.lock or Ct_DB.php. After sending the request, the targeted file will be deleted, causing the website to crash or trigger an installation wizard, depending on which file was removed.