WebsiteBaker v2.13.3 - Directory Traversal

WebsiteBaker v2.13.3 Directory Traversal Vulnerability: A Deep Dive into Exploitation and Mitigation

WebsiteBaker, a popular open-source content management system (CMS) designed for small to medium websites, has long been praised for its simplicity and ease of use. However, in June 2023, a critical security flaw was discovered in version v2.13.3: a directory traversal vulnerability that allows attackers to manipulate file paths and potentially delete arbitrary files from the server’s filesystem.

Understanding Directory Traversal

Directory traversal, also known as path traversal, is a common web security vulnerability that occurs when an application fails to properly sanitize user input used to access files or directories. Attackers exploit this by injecting special sequences like ../ or ../../ into file paths, enabling them to navigate outside the intended directory and access sensitive files or even delete them.

This vulnerability is particularly dangerous when it intersects with file manipulation functions—such as deletion, upload, or download—without proper validation.

The Vulnerability in WebsiteBaker v2.13.3

According to the exploit report by Mirabbas Ağalarov, the delete.php script in the /admin/media module of WebsiteBaker v2.13.3 is susceptible to directory traversal. The dir parameter in the GET request is not properly sanitized, allowing an attacker to specify arbitrary paths using relative navigation.

For example, the following request demonstrates the exploit:

GET /admin/media/delete.php?dir=/../../../../../..//var/www&id=a838b6ebe8ba43a0 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/admin/media/browse.php?dir=/../../../../../..//var/www
Cookie: PHPSESSID-WB-6e6c39=bvnampsc5ji2drm439ph49143c; klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin

This request attempts to delete files located in the /var/www directory—typically the root directory of web server files—by traversing multiple levels using ../ sequences. The absence of path normalization or validation allows the attacker to bypass intended access controls.

Exploitation Scenario and Real-World Impact

Imagine a scenario where an attacker gains access to the admin panel of a WebsiteBaker instance. By crafting a malicious URL like the one above, they can:

• Remove critical configuration files (e.g., config.php).
• Delete backup files or logs that could aid forensic analysis.
• Access and delete sensitive files stored outside the intended media directory.
• Trigger denial-of-service by removing essential components of the website.

Such actions can result in complete website downtime or data loss, especially if backups are not maintained.

Technical Root Cause

The vulnerability stems from improper input validation in the delete.php script. Specifically:

• It fails to resolve relative paths using realpath() or pathinfo() to ensure the path is within the allowed directory.
• It does not enforce a whitelist of allowed directories.
• It relies on user-provided dir parameters without sanitization or normalization.

For example, a simple PHP snippet in the original code might look like:

$dir = $_GET['dir'];
$full_path = $base_dir . $dir;
if (file_exists($full_path)) {
    unlink($full_path);
}

This code is dangerously naive: it concatenates user input directly into a file path without checking whether the path is valid or safe.

Improved Code Example (Secure Implementation)

To prevent directory traversal, developers must implement robust path validation. Here’s a corrected version:

// Secure path validation in delete.php
$base_dir = '/var/www/websitebaker/media'; // Hardcoded allowed base directory
$dir = $_GET['dir'] ?? '';

// Normalize path and prevent traversal
$normalized_dir = realpath($base_dir . '/' . $dir);

// Check if the path is within the allowed base directory
if (strpos($normalized_dir, $base_dir) !== 0) {
    die('Access denied: Invalid directory path.');
}

// Verify file exists and delete
if (file_exists($normalized_dir)) {
    unlink($normalized_dir);
    echo 'File deleted successfully.';
} else {
    echo 'File not found.';
}

This corrected code:

• Uses realpath() to resolve relative paths and ensure they are absolute.
• Checks that the final path starts with the allowed base directory.
• Rejects any attempt to traverse outside the intended directory.

Additionally, incorporating a CSRF token or session validation further strengthens security.

Recommendations and Mitigation

For administrators using WebsiteBaker v2.13.3:

• Upgrade immediately to a patched version. The vendor has released updates to address this vulnerability.
• Implement file access controls using whitelisting or sandboxing.
• Regularly audit file manipulation scripts for input validation.
• Enable logging for file deletion operations to detect suspicious activity.
• Use a web application firewall (WAF) to block known directory traversal patterns.

Conclusion

The WebsiteBaker v2.13.3 directory traversal vulnerability is a stark reminder that even simple, well-intentioned CMS platforms can harbor serious security flaws. It underscores the importance of:

• Input sanitization.
• Path normalization.
• Defense-in-depth strategies.

As cyber threats evolve, developers and administrators must remain vigilant. Secure coding practices—especially around file system interactions—are not optional; they are essential for maintaining trust and integrity in web applications.