SSCMS Path Traversal Vulnerability in LayerImage Endpoint Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in SSCMS version 4.7.0, specifically within the layerImage endpoint. The issue arises in the LayerImageController.Submit.cs file, where the function improperly handles user-supplied filePaths. This lack of proper validation allows for traversal sequences to be exploited, enabling access to files outside the designated upload directory. The vulnerability can be exploited remotely, and there is a public proof-of-concept available.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of files on the server that are accessible through the application account. This could lead to data loss and potential disruptions in service. The risk is heightened if file-reading capabilities are also present in the same endpoint.

Reproduction

To reproduce this vulnerability, send a POST request to the /api/admin/common/editor/layerImage endpoint with an authorization bearer token for an admin account. Include a file path traversal string in the filePaths array, set isLinkToOriginal to false, and verify that the targeted file is deleted.

Remediation

To address this vulnerability, implement the following measures: 1) Normalize paths to absolute canonical forms and enforce strict directory whitelists, 2) Replace user-supplied paths with server-generated file IDs or tokens, 3) Limit deletion operations to temporary files created by the server, 4) Validate file extensions, MIME types, and file signatures, and 5) Introduce security audit logs and regression tests for path traversal.