File Delete | Notion

[CVE-ID]

CVE-2024-57452

[PRODUCT]

Chestnutcms

[Vendor of Product]

https://github.com/liweiyi/ChestnutCMS

https://gitee.com/liweiyi/ChestnutCMS

[VERSION]

ChestnutCMS≤v1.5.0

[Vulnerability Type]

File Delete

[Description] After receiving the filepath parameter in the delete controller, it is assigned to the filePathArr variable. Then, the fileService.deleteFiles method is called, where a filtering function .normalizePath exists. However, this filtering function does not recursively filter characters like ../, which allows the use of ...../ to bypass the filter. As a result, a malicious file name can be assigned to the path parameter, leading to an arbitrary file deletion vulnerability.

com.chestnut.contentcore.controller.FileController#deleteFile

Controller：

The deleteFile method.

com.chestnut.contentcore.service.impl.FileServiceImpl#deleteFiles

ThenormlizePath method

com.chestnut.common.utils.file.FileExUtils#normalizePath