CVE-2022-28527

An attacker must first authenticate to the admin backend [ref_id=1]. The attacker then sends a POST request to `/admin.php?r=admin/AdminBackup/del` with a `data` parameter containing `../` path traversal sequences (e.g., `data=../111`) [ref_id=1]. Because the code only blocks `.` or `..` but not `../` or `..\`, the traversal succeeds and deletes an arbitrary folder [ref_id=1].

The vulnerability resides in `/framework/ext/Util.php` [ref_id=1]. The code does not filter `../` or `..\` sequences, only filtering `.` or `..`, which allows directory traversal in the delete operation [ref_id=1]. The vulnerable endpoint is `/admin.php?r=admin/AdminBackup/del` [ref_id=1].

No patch is provided in the bundle. The researcher recommends filtering `../` or `..\` sequences in the input handling code within `/framework/ext/Util.php` [ref_id=1]. The fix should reject or sanitize path traversal patterns before passing the value to the file deletion routine.

1. Log in to the backend. 2. Send a POST request to `/admin.php?r=admin/AdminBackup/del` with `Content-Type: application/x-www-form-urlencoded` and body `data=../111` (or similar traversal payload). The server responds indicating the folder was deleted successfully [ref_id=1].