edit-icon download-icon

[Vulnerability notice] Arbitrary file deletion vulnerability on the Discuz! front-end

Last Updated: Apr 18, 2018

On September 29, 2017, a high-risk vulnerability of the forum system Discuz! was exposed. Hackers can log on to the front-end and delete an arbitrary file. Websites using Discuz! have high security risks.

See the following for more information about the vulnerability.


CVE identifier

None

Vulnerability name

Arbitrary file deletion vulnerability on the Discuz! front-end

Vulnerability rating

High

Vulnerability description

A malicious attacker can submit a specially crafted set of packets to user profile editing fields in Discuz!, resulting in deletion of an arbitrary file.

Condition and method of exploitation

The website was constructed on an affected version of Discuz!.

Affected scope

Discuz! X 2.5-3.4

Vulnerability detection

Check whether any affected version of Discuz! is used.

How to fix or mitigate

  • A new version in which the vulnerability is fixed is not yet released. However, you can update your spacecp_profile.php file as needed.

  • Use Alibaba Cloud Security WAF to defend against this vulnerability.

Thank you! We've received your feedback.