CVE-2022-23316

Vulnerability

In taoCMS v3.0.2, the file download functionality in admin.php?action=file&ctrl=download passes the path parameter directly to the file_get_contents function without any sanitization or validation. The vulnerable code is located at line 55 in \taocms\include\Model\File.php [1]. This allows an authenticated administrator to read arbitrary files by manipulating the path parameter with directory traversal sequences such as ../../1.txt.

Exploitation

An attacker must first authenticate as an administrator to access the file management interface. After logging in, the attacker navigates to the file management section and uses the edit function. By intercepting the HTTP request with a tool like Burp Suite, the attacker can modify the path parameter to include directory traversal payloads (e.g., ../../etc/passwd). The request is then sent, and the server returns the contents of the specified file [1].

Impact

Successful exploitation allows an authenticated administrator to read any file on the server that the web server process has access to. This can lead to disclosure of sensitive information such as configuration files, database credentials, source code, and other confidential data. The vulnerability does not require any special privileges beyond the admin role.

Mitigation

As of the publication date (2022-02-04), no official patch has been released by the vendor. The reference [1] does not mention a fix. Users are advised to restrict access to the admin panel to trusted users only, implement input validation and sanitization for the path parameter, or consider upgrading to a newer version if available. If no update exists, the application may be at risk until a patch is applied.