ZenTao Backup Component Path Traversal Vulnerability Leading to Arbitrary File Deletion

A path traversal vulnerability allowing arbitrary file deletion has been identified in ZenTao versions through 21.7.8. The issue arises in the Backup Handler component, specifically within the delete function of editor/control.php. This vulnerability can be exploited remotely by manipulating the fileName parameter, which is not properly validated, allowing attackers to traverse the file system and delete targeted files or directories.

Impact

Exploitation of this vulnerability allows authenticated users to delete arbitrary files on the server, potentially leading to loss of critical application data or system files.

Reproduction

To reproduce this vulnerability, send a GET request to the ZenTao application with the backup module and the delete function. Include a crafted fileName parameter that traverses out of the backup directory, such as '../../../../../target'. The request must be made with an authenticated session.

Remediation

Users are advised to update to ZenTao version 21.7.9, which addresses this vulnerability by implementing proper path validation and sanitization in the delete function.