ZimaOS Arbitrary Deletion of Internal System Files via API Path Manipulation Vulnerability

A vulnerability in ZimaOS version 1.5.2-beta3 allows users to bypass restrictions on deleting internal system files and directories. While the application interface prevents such deletions, the API does not enforce the same limitations. By manipulating the path parameter in delete requests, it is possible to remove critical OS files and folders. This issue arises from inadequate input validation and flawed access control regarding sensitive filesystem operations.

Impact

Exploitation of this vulnerability leads to the permanent deletion of essential OS and configuration files, causing system instability or failure. This could result in a denial-of-service condition, potential system takeover, forced recovery, and a loss of integrity and availability on the server.

Reproduction

To reproduce this vulnerability, first attempt to delete a file or folder through the ZimaOS frontend interface, which will be blocked. Next, intercept the API request using a tool like Burp Suite or browser DevTools. Locate the delete endpoint, such as '/v2_1/files/file' or '/v2_1/files/folder'. Then, modify the path parameter to target a restricted system directory, such as '/etc/passwd', '/usr/local/bin/critical-service', or '/etc/ssh/'. Send the altered request and observe that the file or folder in the specified internal system path is successfully deleted.

Remediation

To address this vulnerability, ZimaOS should implement strict server-side validation for all delete operations, allowing deletion only from predefined safe directories. Additionally, the system should reject any paths referencing critical system directories and consider applying filesystem sandboxing or chroot jail mechanisms. It is also crucial to ensure that backend access control is not solely reliant on frontend restrictions.