[CVE-ID]

CVE-2024-57451

[PRODUCT]

Chestnutcms

[Vendor of Product]

https://github.com/liweiyi/ChestnutCMS

https://gitee.com/liweiyi/ChestnutCMS

[VERSION]

ChestnutCMS≤v1.5.0

[Vulnerability Type]

File Delete

[Description]

In the getFileList method of the FileController, the filepath parameter is received.

com.chestnut.contentcore.controller.FileController#getFileList

image.png

The filepath is then passed into fileService.getSiteFileList, and the normalizePath method is called to filter the filepath for directory traversal and other special characters.

com.chestnut.contentcore.service.impl.FileServiceImpl#getSiteFileList

image.png

The critical issue is that the filtering function does not recursively filter ../, but instead uses regular expressions. This allows bypassing the filter with ...../.