CVE-2021-44983

Vulnerability

In taocms 3.0.1, the file management functionality accessible after administrative login contains an arbitrary file download vulnerability. An authenticated administrator can manipulate the path parameter in the download request to retrieve any file on the server, bypassing intended directory restrictions. The affected component is the file management column in the admin panel [1].

Exploitation

An attacker must have valid administrator credentials to log into the taocms background. Once logged in, navigate to the "file management" section. Intercept the download request (e.g., using Burp Suite) and modify the path parameter to point to an arbitrary file (e.g., ../../etc/passwd). The application does not sanitize or restrict the path traversal, allowing access to files outside the intended directory [1].

Impact

Successful exploitation leads to unauthorized reading of arbitrary files on the server filesystem. This could expose sensitive data such as configuration files (containing database credentials), application source code, or system files (e.g., /etc/passwd). The attacker operates with the privileges of the web server process, which may be elevated. No write or execute capabilities are achieved, but information disclosure can enable further attacks [1].

Mitigation

No official patch or fixed version has been released for taocms 3.0.1 as per the available references. The project appears to be unmaintained. Until a fix is provided, administrators should avoid exposing the admin panel to untrusted networks and restrict access to the file management functionality through web server access controls (e.g., .htaccess or IP whitelisting). As of publication, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].