Dromara UJCMS Path Traversal Vulnerability in Template Handler Allowing Recursive Deletion

A path traversal vulnerability has been identified in Dromara UJCMS version 101.2, specifically within the Template Handler component. The issue arises in the WebFileTemplateController.delete method, where the deleteDirectory function fails to properly validate certain inputs. Although the application attempts to block standard path traversal sequences, it inadvertently allows empty strings and single forward slashes. This oversight can be exploited to delete all files and subdirectories within the root of the template storage directory, effectively removing the website's templates, styles, and scripts. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition by causing a recursive deletion of all files and subdirectories in the template storage directory. This action removes critical frontend assets such as HTML templates, CSS, JavaScript, and images, rendering the website unusable. Additionally, while system files remain intact, the application's functionality is severely compromised due to the loss of essential resources.

Reproduction

To reproduce this vulnerability, send a request to the WebFileTemplateController.delete method with a payload that bypasses the application's input validation. An empty string or a single forward slash can be used to exploit the path traversal vulnerability. Once the request is processed, the deleteDirectory function will normalize the input and delete all files and subdirectories within the root of the template storage directory. After exploitation, the server will respond with a 200 OK status, but the website will return 404 or 500 errors due to the missing frontend assets.