iteachyou Dreamer CMS ueditor-1.4.3.3 path traversal

Vulnerability

A path traversal vulnerability exists in Dreamer CMS 4.1.3 within the resource retrieval functionality exposed at /resource/js/ueditor-1.4.3.3. The endpoint fails to properly sanitize user-supplied input, allowing an attacker to traverse directories and read arbitrary files on the server. This issue is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) [1].

Exploitation

An attacker must be an authenticated user with access to the category editor. While navigating the editor, the application makes GET requests to fetch resources (e.g., /resource/js/ueditor-1.4.3.3/dialogs/template/template.html). By modifying such a request and injecting path traversal sequences (e.g., ../../.gitignore), the attacker can read files outside the intended directory. The attack is performed remotely over HTTP [1].

Impact

Successful exploitation allows an attacker to read sensitive files such as .gitignore, package.json, and other configuration files. This can lead to disclosure of internal directory structures, credentials, API keys, and other critical information stored on the server. The impact is limited to information disclosure; no code execution or data modification is achieved [1].

Mitigation

As of the publication date, the vendor has not responded to the disclosure and no official patch has been released. Users of Dreamer CMS 4.1.3 should restrict access to the /resource/js/ueditor-1.4.3.3 endpoint via web server rules or implement input validation to block path traversal sequences. No workaround is provided by the vendor [1].