← Advisories

u5CMS 3.9.3 (deletefile.php) Arbitrary File Deletion Vulnerability

Medium
Advisory ID
ZSL-2015-5226
Release Date
09 February 2015
Vendor
Stefan P. Minder - http://www.yuba.ch
Affected Version
3.9.3 and 3.9.2
CVE
CVE-2015-1577
Tested On
Apache 2.4.10 (Win32), PHP 5.6.3, MySQL 5.6.21
Summary

u5CMS is a little, handy Content Management System for medium-sized websites, conference / congress / submission administration, review processes, personalized serial mails, PayPal payments and online surveys based on PHP and MySQL and Apache.

Description

Input passed to the 'f' parameter in 'deletefile.php' is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server using their absolute path or via directory traversal sequences passed within the affected GET parameter.

Proof of Concept
u5cms_del.txtTXT
Disclosure Timeline
29.12.2014Vulnerability discovered.
04.02.2015Contact with the vendor.
04.02.2015Vendor replies asking more details.
05.02.2015Sent details to the vendor.
06.02.2015Vendor releases version 3.9.4 to address this issue.
09.02.2015Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://yuba.ch/index.php?c=u5cms&l=en
[2]http://www.exploit-db.com/exploits/36026
[3]http://xforce.iss.net/xforce/xfdb/100773
[4]http://cxsecurity.com/issue/WLB-2015020039
[5]http://packetstormsecurity.com/files/130325
[6]http://osvdb.org/show/osvdb/118104
[7]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1577
[8]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1577
Changelog
09.02.2015Initial release
11.02.2015Added reference [2], [3], [4], [5] and [6]
12.02.2015Added reference [7] and [8]