VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 29, 2024· Updated Aug 2, 2024

CVE-2024-33350

CVE-2024-33350

Description

Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote attacker to execute arbitrary code and obtain sensitive information via the include/model/file.php component.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated directory traversal in TaoCMS 3.0.2 allows arbitrary file write via the File component, enabling remote code execution or information disclosure.

Vulnerability

A directory traversal vulnerability exists in TaoCMS v.3.0.2 in the include/model/file.php component. The __construct() method sets $this->path directly from the user-supplied $_REQUEST['path'] parameter without any sanitization [1]. The save() method then writes user-provided content ($_POST['filedata']) to $this->realpath (constructed as SYS_ROOT.$this->path) using file_put_contents() [1]. This allows an attacker to control both the file path (with ../ traversal) and the file content.

Exploitation

An attacker needs network access to the admin endpoint (admin.php) and must be able to send a crafted HTTP POST request [1]. The example payload includes a path parameter like ../../importantfile.txt to traverse outside the web root, and a filedata parameter containing arbitrary content [1]. The save() function only checks if the target path is writable, but does not validate the path against allowed directories [1]. No authentication is required if the admin interface is exposed; the proof-of-concept uses a session cookie but does not demonstrate authentication bypass.

Impact

Successful exploitation allows an attacker to write arbitrary files to arbitrary locations on the server filesystem, limited only by filesystem permissions [1]. This can lead to remote code execution (e.g., overwriting a PHP file in the web root) or exfiltration of sensitive information (e.g., by writing to a log or config file) [1]. The attacker gains the ability to execute code with the privileges of the web server user.

Mitigation

As of the available references, no official patch has been released for TaoCMS 3.0.2 [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. Operators should restrict access to the admin interface (e.g., via firewall rules or VPN) and consider disabling the file editing functionality until a fix is available. Upgrading to a newer version of TaoCMS (if one exists) may also address the issue, but this is not confirmed in the references [1].

References
  1. vulnerability/POC/taocms-3.0.2 Arbitrary File Writing Vulnerability.md at main · majic-banana/vulnerability

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • TaoCMS/TaoCMSdescription
  • Taogo/Taocmsllm-fuzzy
    Range: =3.0.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation on the `path` parameter in `include/Model/file.php` allows directory traversal, enabling arbitrary file writes."

Attack vector

A remote attacker who can reach the admin panel sends a crafted POST request to `/admin/admin.php` with parameters `action=file`, `ctrl=save`, a `path` parameter containing directory traversal sequences (e.g., `../../importantfile.txt`), and arbitrary file content in the `filedata` parameter [ref_id=1]. The `__construct` method assigns the unsanitized `path` value to `$this->path`, and `save()` writes the attacker-controlled content to the resulting filesystem location [ref_id=1]. No authentication bypass or special privileges beyond admin access are described in the advisory.

Affected code

The vulnerable file is `include/Model/file.php` [ref_id=1]. In the `__construct` method, `$this->path` is set directly from `$_REQUEST['path']` without any filtering, and `$this->realpath` is built by concatenating `SYS_ROOT` with this user-controlled path [ref_id=1]. The `save()` method then writes user-supplied `$_POST['filedata']` to that path via `file_put_contents` without sanitizing the content [ref_id=1].

What the fix does

No patch is provided in the advisory. The researcher notes that `$this->path` is taken from `$_REQUEST['path']` with no filtering, and `save()` does not validate the file content [ref_id=1]. To remediate, the application must validate and sanitize the `path` parameter to prevent directory traversal (e.g., by resolving the path and ensuring it stays within an allowed base directory), and should also restrict the types or locations of files that can be written.

Preconditions

  • networkAttacker must be able to send HTTP requests to the TaoCMS admin interface (e.g., /admin/admin.php).
  • inputThe path parameter is taken from $_REQUEST without filtering, so no special authentication beyond admin access is required.

Reproduction

The advisory includes a full reproduction payload [ref_id=1]. Send a POST request to `/admin/admin.php` with `Content-Type: application/x-www-form-urlencoded` and body: `name=data%2Finstall.lock&filedata=arbitrary+file+writing+test&action=file&ctrl=save&path=../../importantfile.txt&Submit=%E4%BF%9D%E5%AD%98`. The `path` parameter uses `../` traversal to write the attacker-controlled `filedata` content to an arbitrary location outside the web root [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.