CVE-2024-8875 Overview
CVE-2024-8875 is a path traversal vulnerability affecting vedees wcms versions up to 0.3.2. The flaw resides in the /wex/finder.php script, where the p parameter is not properly sanitized before being used in file system operations. Remote attackers can manipulate this parameter to access or affect files outside the intended directory. The exploit has been publicly disclosed, and the vendor did not respond to early disclosure attempts. The vulnerability is tracked under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Remote authenticated attackers can traverse the file system through the p parameter in /wex/finder.php, leading to arbitrary file deletion in vedees wcms up to 0.3.2.
Affected Products
- vedees wcms 0.3.0
- vedees wcms 0.3.1
- vedees wcms 0.3.2
Discovery Timeline
- 2024-09-15 - CVE-2024-8875 published to NVD
- 2024-09-20 - Last updated in NVD database
Technical Details for CVE-2024-8875
Vulnerability Analysis
The vulnerability exists in the finder.php script located within the /wex/ directory of vedees wcms. The script accepts a parameter named p that influences file path resolution without enforcing canonicalization or directory boundary checks. Attackers can supply traversal sequences such as ../ to escape the intended working directory. According to the public report referenced in the CVE, exploitation results in arbitrary file deletion on the host system. The attack requires network access and low-privilege authentication, with no user interaction needed.
Root Cause
The root cause is improper input validation on the p parameter, classified under [CWE-22]. The application concatenates user-supplied input into a file path without sanitization or restriction to an allow-listed base directory. Standard mitigations such as realpath() validation, path normalization, or comparison against a fixed root directory are absent. This allows directory traversal sequences to resolve to arbitrary locations on the underlying file system.
Attack Vector
An attacker delivers a crafted HTTP request to /wex/finder.php with a malicious value supplied to the p parameter. The payload contains relative path traversal sequences targeting files outside the web root. Because the vulnerability is remotely reachable over the network and the file deletion operation occurs server-side, exploitation does not require local access. Public proof-of-concept details are available in the GitHub Arbitrary File Deletion Report.
The vulnerability manifests when traversal sequences in the p parameter resolve to sensitive files. See the VulDB entry #277507 for additional technical details.
Detection Methods for CVE-2024-8875
Indicators of Compromise
- HTTP requests to /wex/finder.php containing ../ sequences or URL-encoded variants such as %2e%2e%2f in the p parameter.
- Unexpected file deletions in the web application directory or adjacent directories on the host.
- Web server access logs showing the p parameter referencing absolute paths or system files outside the application root.
Detection Strategies
- Inspect web server access logs for requests to /wex/finder.php where the p query parameter contains traversal patterns.
- Deploy web application firewall (WAF) rules that flag directory traversal sequences targeting PHP endpoints.
- Correlate file deletion events on the file system with concurrent inbound HTTP requests to the vulnerable endpoint.
Monitoring Recommendations
- Enable file integrity monitoring on the wcms installation directory to detect unauthorized deletions.
- Forward web server and application logs to a centralized analytics platform for traversal pattern detection.
- Alert on anomalous parameter values containing path metacharacters such as .., /, or null bytes.
How to Mitigate CVE-2024-8875
Immediate Actions Required
- Restrict network access to the /wex/finder.php endpoint until a patched version is available.
- Implement a WAF rule to block requests containing path traversal sequences in the p parameter.
- Audit the wcms installation directory for evidence of unauthorized file deletion.
- Reduce file system permissions for the web server process to limit deletion scope.
Patch Information
No vendor patch is currently available. According to the CVE description, the vendor was contacted prior to disclosure but did not respond. Organizations running vedees wcms 0.3.2 or earlier should evaluate migrating to a maintained content management platform. Monitor the VulDB entry and the project's distribution channels for any future fix.
Workarounds
- Block external access to /wex/finder.php at the reverse proxy or web server level.
- Apply input filtering at an upstream proxy to reject requests containing .., %2e%2e, or absolute path indicators in the p parameter.
- Run the wcms application under a dedicated, low-privilege account with read-only access to non-essential files.
- Maintain offline backups of the web application directory to enable recovery from arbitrary file deletion attacks.
# Example nginx configuration to block traversal patterns on the vulnerable endpoint
location = /wex/finder.php {
if ($arg_p ~* "(\.\./|\.\.\\|%2e%2e|/etc/|/var/)") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
