Source: cna@vuldb.com
A vulnerability has been found in Dromara UJCMS 101.2. This issue affects the function deleteDirectory of the file WebFileTemplateController.delete of the component Template Handler. Such manipulation leads to path traversal. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Dromara UJCMS 101.2 is vulnerable to a critical path traversal vulnerability, allowing attackers to delete arbitrary files and directories on the server. This remote exploit, publicly available, poses a significant risk of system compromise and data loss due to the vendor's lack of response.
Step 1: Craft the Payload: The attacker constructs a malicious URL or request containing a path traversal payload, such as ../../../../etc/passwd. This payload is designed to navigate the file system hierarchy.
Step 2: Submit the Request: The attacker sends the crafted request to the vulnerable delete endpoint of WebFileTemplateController in UJCMS.
Step 3: Path Construction: The deleteDirectory function receives the attacker-controlled path. Due to insufficient input validation, the path traversal sequence is not properly sanitized.
Step 4: File Deletion: The function attempts to delete the directory specified by the attacker-controlled, unsanitized path. This results in the deletion of files and directories outside the intended scope, potentially including critical system files.
The vulnerability lies within the deleteDirectory function in WebFileTemplateController.delete. The root cause is likely improper input validation and sanitization of user-supplied data used in constructing file paths. Specifically, the application fails to adequately sanitize or validate the directory path provided by the attacker, allowing for the inclusion of path traversal sequences (e.g., ../) to navigate outside the intended directory. This leads to the deletion of files and directories outside of the intended scope, potentially leading to complete system compromise. The lack of proper access control checks further exacerbates the issue.
While no specific APTs are directly linked, the public availability of the exploit and the severity of the vulnerability make it attractive to various threat actors. This vulnerability could be leveraged by ransomware groups or for data exfiltration. CISA KEV status is likely to be high if not already present.
Monitor web server logs for suspicious requests containing path traversal sequences (e.g., ../).
Analyze file system activity for unexpected file deletions, especially in critical system directories.
Implement file integrity monitoring to detect unauthorized modifications or deletions.
Network Intrusion Detection Systems (IDS) can be configured to detect malicious HTTP requests containing path traversal payloads.
Examine the application's source code for instances of deleteDirectory and related functions, looking for missing or inadequate input validation.
Implement robust input validation and sanitization on all user-supplied input, especially file paths. This includes rejecting or escaping path traversal sequences (e.g., ../).
Implement strict access control to restrict file deletion operations to authorized users and directories.
Update to a patched version of UJCMS (if available).
If no patch is available, consider a Web Application Firewall (WAF) to filter malicious requests.
Regularly back up critical data to ensure data recovery in case of a successful attack.
Review and harden server configurations to minimize the attack surface.