CVE-2020-17563
📋 TL;DR
CVE-2020-17563 is a path traversal vulnerability in FeiFeiCMS v4.0 that allows remote attackers to delete arbitrary files on the server by sending a specially crafted HTTP request to the admin template deletion endpoint. This affects all systems running FeiFeiCMS v4.0 with the vulnerable component exposed.
💻 Affected Systems
- FeiFeiCMS
📦 What is this software?
Feifeicms by Feifeicms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to service disruption, data loss, or privilege escalation by removing authentication or configuration files.
Likely Case
Website defacement or disruption through deletion of web application files, templates, or configuration files, causing service unavailability.
If Mitigated
Limited impact if proper access controls restrict admin endpoints to authorized users only and file system permissions prevent deletion of critical files.
🎯 Exploit Status
Exploitation requires sending a crafted HTTP request to the vulnerable endpoint, but may need authentication depending on configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.0.1 or later
Vendor Advisory: Not publicly documented
Restart Required: No
Instructions:
1. Upgrade FeiFeiCMS to version 4.0.1 or later. 2. Replace the vulnerable files with patched versions from the official source. 3. Verify the fix by testing the affected endpoint.
🔧 Temporary Workarounds
Restrict Access to Admin Endpoints
allBlock access to the vulnerable admin template deletion endpoint using web server configuration or firewall rules.
# Apache: RewriteRule ^/index\.php\?s=/admin-tpl-del - [F]
# Nginx: location ~ /index\.php\?s=/admin-tpl-del { deny all; }
Implement Input Validation
allAdd server-side validation to sanitize the 'id' parameter in the admin template deletion function to prevent path traversal.
# Example PHP snippet to validate input: if (strpos($_GET['id'], '..') !== false) { die('Invalid input'); }
🧯 If You Can't Patch
- Implement strict access controls to limit admin endpoints to trusted IP addresses only.
- Monitor and audit file deletion activities on the server to detect exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Test by sending a crafted HTTP request to /index.php?s=/admin-tpl-del&id=../../../../etc/passwd and checking for file deletion or error responses.Check Version:
Check the FeiFeiCMS version in the admin panel or by examining the application files for version identifiers.Verify Fix Applied:
After patching, repeat the test request; it should return an error or no longer delete files outside the intended directory.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /index.php?s=/admin-tpl-del with suspicious 'id' parameters containing path traversal sequences (e.g., '..', '/')
- File deletion events in system or application logs corresponding to admin template operations
Network Indicators:
- Unusual HTTP traffic patterns to admin endpoints from untrusted sources
- Requests with path traversal payloads in URL parameters
SIEM Query:
source="web_server_logs" AND url="/index.php?s=/admin-tpl-del" AND (id="*..*" OR id="*../*")