CVE-2021-37144
📋 TL;DR
CVE-2021-37144 is an arbitrary file deletion vulnerability in CSZ CMS 1.2.9 that allows attackers to delete files on the server by exploiting insufficient input sanitization in PHP's unlink() function. This affects all installations running the vulnerable version of CSZ CMS. Attackers can potentially delete critical system files, configuration files, or application data.
💻 Affected Systems
- CSZ CMS
📦 What is this software?
Csz Cms by Cszcms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to service disruption, data loss, or enabling further attacks by removing security controls.
Likely Case
Deletion of web application files, configuration files, or user-uploaded content, causing service disruption, data loss, and potential defacement.
If Mitigated
Limited impact to non-critical files if proper file permissions and web server sandboxing are implemented.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it involves manipulating file path parameters without authentication. Public proof-of-concept exists in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.10 or later
Vendor Advisory: https://github.com/cskaza/cszcms/issues/32
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download the latest version from the official repository. 3. Replace vulnerable files with patched versions. 4. Verify file permissions are properly set.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation and sanitization for all file path parameters before passing to unlink() function.
Modify PHP code to validate file paths against whitelist of allowed directories
File Permission Restrictions
linuxRestrict web server user permissions to prevent deletion of critical files outside web root.
chmod 755 /var/www/html
chown www-data:www-data /var/www/html -R
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing path traversal patterns (../, ..\, etc.)
- Restrict file deletion functionality to authenticated administrators only and implement additional authorization checks
🔍 How to Verify
Check if Vulnerable:
Check if running CSZ CMS version 1.2.9 by examining version files or admin panel. Test by attempting path traversal in file deletion functionality.Check Version:
Check /system/application/config/version.php or admin panel version displayVerify Fix Applied:
Verify version is 1.2.10 or later. Test that path traversal attempts in file deletion parameters are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Multiple failed file deletion attempts
- Requests containing path traversal patterns (../, ..\)
- Unusual file deletion activity from single IP
Network Indicators:
- HTTP requests with suspicious file path parameters
- Patterns of failed file operations
SIEM Query:
source="web_logs" AND (uri="*unlink*" OR uri="*delete*" OR uri="*remove*") AND (uri="*../*" OR uri="*..\\*")