CVE-2020-18070
📋 TL;DR
This path traversal vulnerability in iCMS v7.0.13 allows remote attackers to delete arbitrary folders on the server by sending specially crafted HTTP requests to the database.admincp.php component. Attackers can exploit the do_del() method to execute directory deletion commands, potentially causing data loss or service disruption. All iCMS v7.0.13 installations with the vulnerable component exposed are affected.
💻 Affected Systems
- iCMS
📦 What is this software?
Icms by Idreamsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system directories, leading to data loss, service unavailability, and potential privilege escalation if system files are affected.
Likely Case
Deletion of web application directories, configuration files, or user data causing service disruption, data loss, and potential defacement.
If Mitigated
Limited impact with proper file permissions, directory restrictions, and input validation preventing traversal beyond allowed paths.
🎯 Exploit Status
Exploitation requires crafting HTTP requests to the vulnerable endpoint. The GitHub issue shows proof of concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v7.0.14 or later
Vendor Advisory: https://github.com/idreamsoft/iCMS/issues/46
Restart Required: No
Instructions:
1. Download the latest iCMS version from the official repository. 2. Backup your current installation. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Restrict Access to Admin Components
allBlock external access to database.admincp.php and other admin components using web server rules or firewall rules.
# Apache: Add to .htaccess
<Files "database.admincp.php">
Order Deny,Allow
Deny from all
</Files>
# Nginx: Add to server block
location ~ /database\.admincp\.php$ {
deny all;
}
Implement Input Validation
allAdd path traversal validation in the do_del() method to sanitize user input before processing.
# PHP example: Add to do_del() method
$path = $_POST['path'];
if (strpos($path, '..') !== false || strpos($path, '/') === 0) {
die('Invalid path');
}
🧯 If You Can't Patch
- Implement strict file permissions to limit deletion capabilities to non-critical directories.
- Deploy a web application firewall (WAF) with path traversal protection rules.
🔍 How to Verify
Check if Vulnerable:
Test by sending a crafted HTTP POST request to /database.admincp.php with path traversal payloads and observing if directory deletion occurs.Check Version:
Check the iCMS version in the admin panel or review the version file in the installation directory.Verify Fix Applied:
After patching, attempt the same exploit and verify that path traversal attempts are blocked or sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to database.admincp.php with suspicious path parameters containing '..' or traversal sequences.
- File deletion events in system logs corresponding to web server process.
Network Indicators:
- POST requests to /database.admincp.php with path parameters in the payload.
SIEM Query:
source="web_logs" AND uri="/database.admincp.php" AND (payload=".." OR payload="../")