Fearless Geek Media FearlessCMS Directory Traversal Vulnerability Allowing Denial-of-Service

A directory traversal vulnerability has been identified in Fearless Geek Media's FearlessCMS version 0.0.2-15. This vulnerability allows remote attackers to cause a denial-of-service by exploiting the plugin-handler.php file and the deleteDirectory function. The issue arises because the application improperly sanitizes user input, enabling attackers to traverse directories and delete arbitrary files or directories on the server.

Impact

Exploitation of this vulnerability allows for arbitrary directory deletion with the privileges of the web server user, potentially leading to a denial-of-service or further compromise of the application or server.

Reproduction

The vulnerability can be reproduced by sending a POST request to the admin/plugin-handler.php file with the plugin_slug parameter set to a directory traversal payload, such as ../../../../../../../../../../tmp/folder. This request can be made using a tool like curl, including the PHPSESSID cookie for an admin session.

Remediation

Sanitize and validate the plugin_slug parameter to prevent directory traversal. Implement checks to ensure deletions are restricted to within the PLUGIN_DIR. Consider using realpath() to verify that the resolved path is safe before performing deletion.