CVE-2020-20290
📋 TL;DR
This directory traversal vulnerability in yccms 3.3 allows attackers to delete arbitrary files on the server by manipulating request parameters in delete functions. It affects all deployments of yccms 3.3 content management system. Attackers can potentially delete critical system files or application components.
💻 Affected Systems
- yccms
📦 What is this software?
Yccms by Yccms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical OS files, leading to system instability, data loss, or service disruption.
Likely Case
Application disruption through deletion of CMS files, configuration files, or user uploads, causing website malfunction.
If Mitigated
Limited impact with proper file permissions and web server sandboxing, potentially only affecting non-critical application files.
🎯 Exploit Status
Simple HTTP requests with manipulated parameters can trigger the vulnerability. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - No official patch documented
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
1. Check if yccms 3.3 is installed. 2. Consider upgrading to a newer version if available. 3. Apply manual code fixes to validate file paths. 4. Remove or disable vulnerable functions if not needed.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to reject directory traversal sequences in file parameters
Add PHP code to sanitize input parameters before file operations
Web Server Restrictions
linuxConfigure web server to restrict file operations to specific directories
chmod 755 /var/www/yccms
chown www-data:www-data /var/www/yccms
🧯 If You Can't Patch
- Implement WAF rules to block directory traversal patterns in HTTP requests
- Restrict network access to the yccms application using firewall rules
🔍 How to Verify
Check if Vulnerable:
Check if yccms version is 3.3 by examining source files or admin panel. Test with controlled directory traversal payloads.Check Version:
grep -r 'version\|Version' /path/to/yccms/ | grep -i '3.3'Verify Fix Applied:
Attempt directory traversal attacks after applying fixes. Verify input validation prevents '../' sequences.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' sequences to delete, deletesite, or deleteAll endpoints
- File deletion errors in application logs
- Unusual file operations in system logs
Network Indicators:
- HTTP requests with encoded directory traversal sequences (%2e%2e%2f)
- Multiple DELETE requests to unusual file paths
SIEM Query:
source="web_logs" AND (uri="*delete*" AND (uri="*../*" OR uri="*..%2f*" OR uri="*%2e%2e%2f*"))