Multiple directory traversal vulnerabilities in index.php in XCMS 1.82 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the s parameter to the admin page or (2) the pg parameter to an arbitrary module, as demonstrated by reading a password hash in a .dtb file under dati/membri/ or by executing embedded PHP code in images under uploads/avatar/.
XCMS 1.82 and earlier versions are vulnerable to multiple directory traversal vulnerabilities, allowing attackers to read arbitrary files and potentially execute code. This can lead to sensitive data disclosure, including password hashes, and complete system compromise through malicious code execution.
Step 1: Payload Delivery: The attacker crafts a malicious URL containing a directory traversal payload in either the s or pg parameter. For example, index.php?s=../../dati/membri/.dtb or index.php?pg=../../uploads/avatar/malicious.php.jpg.
Step 2: Parameter Processing: The vulnerable index.php script receives the crafted URL and attempts to process the s or pg parameter.
Step 3: Path Construction: The script uses the unsanitized parameter value to construct a file path.
Step 4: File Access: The script attempts to access the file specified by the constructed path. Due to the directory traversal payload, this path leads outside the intended directory.
Step 5: Information Disclosure/Code Execution: If the file exists and the web server has permissions, the script either reads the file's contents (e.g., password hashes) or, in the case of a PHP file, executes the embedded code (e.g., a web shell).
The vulnerability stems from insufficient input validation in index.php when handling the s (admin page) and pg (module) parameters. The application fails to properly sanitize user-supplied input, allowing attackers to inject ../ sequences to traverse the directory structure. This lack of input validation allows attackers to specify arbitrary file paths, leading to the reading of sensitive files like .dtb files containing password hashes or the execution of PHP code embedded in image files. The root cause is a missing or inadequate path traversal filter or input sanitization mechanism within the application's code, specifically in how it processes the s and pg parameters before accessing files.