Sanluan PublicCMS Path Traversal Vulnerability in Task Template Management Leading to Remote Code Execution

A critical path traversal vulnerability has been identified in Sanluan PublicCMS versions through 5.202506.d. This vulnerability exists in the Task Template Management component, specifically within the Save function of the TaskTemplateAdminController. The issue arises from inadequate sanitization of the user-controlled path parameter, allowing authenticated administrators to manipulate file paths and write arbitrary files to the server. Exploitation of this vulnerability can overwrite system scripts that are executed by the scheduled task system, resulting in remote code execution with server privileges.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running under the system user. This could lead to a complete takeover of the server.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a POST request to the '/admin/taskTemplate/save.html' endpoint. The request must include a crafted 'path' parameter that exploits the path traversal vulnerability, such as by using URL-encoded sequences or double-dot traversal techniques. The 'content' parameter should be base64-encoded shell commands that, when decoded and executed, establish a reverse shell connection.

Remediation

It is recommended to improve path sanitization by using proper path normalization techniques, add boundary checks to ensure that file paths remain within designated directories, and verify the integrity of scripts before execution.