CVE-2018-19181

Vulnerability

The remove() function in statics/ueditor/php/vendor/Local.class.php of YUNUCMS 1.1.5 takes the key parameter from a $_POST['key'] value and uses it directly in a call to unlink() without sufficient validation. The only check verifies that the path starts with uploads, but this can be bypassed by prepending /uploads/.. to the target file path, enabling directory traversal. The vulnerable code path is reachable via /statics/ueditor/php/controller.php?action=remove without any authentication [1].

Exploitation

An attacker can send a POST request to /statics/ueditor/php/controller.php?action=remove with a key parameter containing a traversal payload such as /uploads/../data/install.lock. No authentication, session, or special privileges are required. The server processes the request and deletes the specified file [1].

Impact

Successful exploitation allows an attacker to delete any file on the server to which the web process has write access, limited only by filesystem permissions. The referenced proof of concept deletes the install.lock file, which when removed enables re-installation of the application. This can be chained with a subsequent re-installation process to execute arbitrary PHP code by controlling database configuration or other inputs during installation, resulting in full remote code execution [1].

Mitigation

As of the referenced advisory, no patched version was released. The vendor repository appears unmaintained. Site administrators should restrict access to the UEditor controller path through web server rules (e.g., .htaccess or Nginx location blocks) or remove the UEditor component entirely if not needed. There is no known fix in later versions of YUNUCMS [1].