External Control of File Name or Path in flatpressblog/flatpress

Vulnerability

A path traversal vulnerability exists in the mediamanager plugin of flatpressblog/flatpress prior to version 1.3. The doItemActions function in fp-plugins/mediamanager/panels improperly sanitizes the deletefile GET parameter, allowing an attacker to specify path traversal sequences such as ../ to delete files outside the intended directory.

Exploitation

An attacker with access to the mediamanager panel (typically requiring authentication) can send a crafted request with a deletefile parameter containing path traversal characters (e.g., ../../config.php). The vulnerable code does not filter .., /, or \ sequences, enabling the attacker to traverse directories and delete arbitrary files.

Impact

Successful exploitation allows an attacker to delete arbitrary files on the server, potentially leading to data loss, denial of service, or further compromise if critical files (e.g., configuration files) are removed.

Mitigation

The vulnerability is fixed in commit 5d5c7f6 [1], which sanitizes the filename by removing .., /, and \ characters. This fix is included in version 1.3. Users should upgrade to flatpress version 1.3 or later. No workarounds are documented.