Fearless Geek Media FearlessCMS Directory Traversal Vulnerability Allowing Denial-of-Service

A directory traversal vulnerability has been identified in Fearless Geek Media FearlessCMS version 0.0.2-15. This vulnerability allows remote attackers to cause a denial-of-service by exploiting the plugin-handler.php file and the file_get_contents() function. The issue arises from the application using unsanitized user input to construct file paths, enabling attackers to traverse directories and access unintended files or directories.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition by causing excessive resource consumption or disrupting normal application functionality.

Reproduction

The vulnerability can be reproduced by sending a POST request to admin/index.php with a crafted 'path' parameter that includes directory traversal sequences. This will trigger the file_get_contents() function to read arbitrary .md files from the file system, such as /etc/passwd if it exists. Alternatively, the vulnerability can be reproduced by sending a POST request to admin/plugin-handler.php with a 'plugin_slug' parameter that includes directory traversal sequences, which will delete the specified directory and its contents.

Remediation

Users are advised to sanitize and validate user input to prevent directory traversal. For the file reading vulnerability, implement strict path validation and use realpath() to ensure the resolved path is within the allowed directory. For the plugin deletion vulnerability, validate the plugin_slug parameter to prevent traversal and restrict deletions to within the plugin directory.