CVE-2020-7246: A remote code execution (RCE) vulnerability in qdPM 9.1

During a security research I conducted against CVE-2020-7246, I discovered a clever method to exploit arbitrary file deletion to bypass .htaccess resrictions.

Vulnerable endpoint: index.php/myAccount/update

The exploit begins by sending two requests with users[remove_photo] set to 1 and users[photo_preview] set to ".htaccess" and "../.htaccess." Upon inspecting the source code of the account update function, an intriguing observation comes to light.

If remove_photo is set to 1 (True), the application adds the unsanitized photo_preview value to a specific string representing the uploads directory path, causing a path traversal vulnerability. Then the value is used on unlink() function which will delete the file.

Removing the .htaccess file removes access restrictions on uploaded PHP files on uploads directory.

The second part of the exploit involves uploading a PHP file and accessing it directly. The vulnerability lies in the fact that the upload function fails to apply any verification on uploaded files, leading to unrestricted file uploads.

After a mitigation for this vuln, the application now includes a check to verify if the file is an image. However, the attacker can still remove images located outside the uploads directory. Which means, path traversal is still there.