ZenTao Path Traversal Vulnerability in Editor Component Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in ZenTao versions through 21.7.8, specifically within the editor component's delete function in editor/control.php. This vulnerability allows authenticated users to manipulate the filePath argument, leading to arbitrary file deletion on the server. The issue arises because the application fails to properly validate and sanitize the file path before processing it, enabling exploitation by encoding paths to traverse the directory structure.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server's filesystem, which could lead to loss of critical application data or system files.

Reproduction

To reproduce this vulnerability, first ensure that the ZenTao editor feature is activated. This can be done by sending a POST request to the editor module to turn on the editor feature. Once the editor is active, send a GET request to the delete function of the editor module, including a Base64-encoded file path in the filePath parameter. The server will decode the path, check if the file exists, and if so, delete it without proper validation, thereby exploiting the path traversal vulnerability.

Remediation

Upgrade to ZenTao version 21.7.9, which addresses this vulnerability by implementing proper path validation and restricting file deletion to certain directories.