DPanel Path Traversal Vulnerability Leading to Arbitrary File Deletion

An arbitrary file deletion vulnerability has been identified in DPanel, an open-source server management panel written in Go. This vulnerability exists in versions prior to 1.9.2, specifically within the '/api/common/attach/delete' interface. Authenticated users can exploit this issue to delete arbitrary files on the server by leveraging path traversal techniques. The vulnerability arises because the 'Delete' function in 'app/common/http/controller/attach.go' file directly passes the user-submitted 'path' parameter to 'storage.Local{}.GetSaveRealPath' and then to 'os.Remove', without adequate sanitization or validation for path traversal characters. Although the 'GetSaveRealPath' function resolves '../' characters, it does not enforce a chroot or jail, allowing for exploitation.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of files on the server.

Reproduction

To reproduce this vulnerability, log into the DPanel administrative backend and obtain an authorization token. Then, send a POST request to the '/dpanel/api/common/attach/delete' endpoint, including the authorization token and a path traversal payload in the 'path' parameter to delete a targeted file, such as '/tmp/1.txt'.

Remediation

Users can upgrade to DPanel version 1.9.2 or later to address this vulnerability.