CVE-2018-20064

Vulnerability

In doorGets 7.0, the theme editor function at /dg-user/?controller=theme&action=edit&name=doorgets&file= does not properly sanitize the file parameter, allowing directory traversal. An attacker can include path traversal sequences (e.g., ../../) and a null byte (%00) to write to arbitrary files on the server. The vulnerable endpoint is accessible to authenticated users with admin panel access [1].

Exploitation

An attacker must have a valid admin session (e.g., via the PHPSESSID cookie) to access the dg-user area. The attacker sends a POST request with the file parameter containing path traversal and a null byte, and the desired content in the theme_content_nofi parameter. The request is sent to doorGets/dg-user/?controller=theme&action=edit&name=doorgets&file=../../<arbitrary_path>%00. The null byte truncates the appended file extension, allowing overwrite of any file the web server user can write [1].

Impact

Successful exploitation allows the attacker to write arbitrary content to any file on the server, such as PHP files in the web root, leading to remote code execution, website defacement, or denial of service. The attacker gains full control over the web application's files [1].

Mitigation

No official patch or updated version has been released as of the publication date. The vulnerability exists in doorGets 7.0. Administrators should restrict access to the dg-user area and monitor file integrity. If possible, disable the theme editor functionality until a fix is available [1].