CVE-2021-36544
📋 TL;DR
CVE-2021-36544 is an incorrect access control vulnerability in tpcms 3.2 that allows remote attackers to view sensitive information by manipulating paths in application URLs. This affects all systems running tpcms 3.2 with default configurations, potentially exposing confidential data to unauthorized users.
💻 Affected Systems
- tpcms
📦 What is this software?
Tpcms by Tpcms Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive configuration files, database credentials, user data, or administrative information, leading to complete system compromise or data breach.
Likely Case
Unauthenticated attackers can enumerate and download sensitive files from the web server, potentially obtaining configuration details or user information.
If Mitigated
With proper access controls and file permissions, impact is limited to non-sensitive files or returns access denied errors.
🎯 Exploit Status
Exploitation involves simple path traversal or directory listing techniques. The vulnerability is well-documented in public issue trackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.2 (check latest release)
Vendor Advisory: https://gitee.com/happy_source/tpcms/issues/I3YNWY
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download the latest version of tpcms from the official repository. 3. Replace vulnerable files with patched versions. 4. Verify file permissions are properly set. 5. Test the application functionality.
🔧 Temporary Workarounds
Web Server Access Restrictions
allConfigure web server to restrict access to sensitive directories and files
# Apache: Add to .htaccess
<FilesMatch "\.(php|inc|conf|sql|log)$">
Order allow,deny
Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~ /\.(php|inc|conf|sql|log)$ {
deny all;
}
File Permission Hardening
allSet restrictive file permissions on sensitive directories
# Linux/Unix
chmod 600 sensitive_config_file.conf
chmod 700 protected_directory/
# Windows
icacls sensitive_file.txt /deny Everyone:(R)
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block path traversal patterns
- Move sensitive files outside web root directory and implement proper access controls
🔍 How to Verify
Check if Vulnerable:
Attempt to access sensitive files via URL path manipulation (e.g., /../../config.php). If accessible, system is vulnerable.Check Version:
Check tpcms version in admin panel or look for version.php fileVerify Fix Applied:
After patching, attempt the same path traversal attacks. All sensitive files should return 403/404 errors or be inaccessible.📡 Detection & Monitoring
Log Indicators:
- Multiple 200/403 responses to unusual file paths
- Requests containing '../' patterns
- Access to known sensitive file names
Network Indicators:
- HTTP requests with path traversal sequences
- Unusual file extensions being requested
SIEM Query:
web.url:*../* AND (response_code:200 OR response_code:403)