Directory traversal vulnerability in system/admin/images.php in LoveCMS 1.6.2 Final allows remote attackers to delete arbitrary files via a .. (dot dot) in the delete parameter.
LoveCMS 1.6.2 Final is vulnerable to a critical directory traversal vulnerability, allowing attackers to delete arbitrary files on the server. This can lead to complete system compromise and data loss, impacting confidentiality, integrity, and availability. Successful exploitation requires no authentication, posing a significant risk to any affected web application.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request to system/admin/images.php.
Step 2: Parameter Manipulation: The attacker includes a delete parameter in the request, containing a directory traversal payload (e.g., ../../../etc/passwd).
Step 3: Vulnerable Code Execution: The images.php script processes the request, constructs a file path based on the attacker-controlled delete parameter, and attempts to delete the specified file.
Step 4: File Deletion: Due to the lack of input validation, the script successfully deletes the file specified by the attacker, which could be any file the web server user has permission to delete.
Step 5: System Compromise: Depending on the deleted file, the attacker can achieve various levels of compromise, including denial of service, information disclosure, or remote code execution (if a critical system file is deleted or overwritten).
The vulnerability stems from insufficient input validation in the system/admin/images.php script's handling of the delete parameter. Specifically, the script fails to properly sanitize user-supplied input, allowing attackers to inject directory traversal sequences (../) into the delete parameter. This manipulation allows the attacker to construct a path outside of the intended directory, enabling the deletion of any file accessible by the web server's user. The root cause is a lack of proper path normalization and validation before performing the file deletion operation. The script likely constructs a file path based on the delete parameter without verifying that the resulting path remains within the intended directory structure. This leads to a path traversal vulnerability, which is a type of input validation flaw.