Arbitrary File Download Vulnerability in MyuCMS

The point of vulnerability is:       application/bbs/controller/Index.php

The key code in the figure is for file download

follow in  "download",which in   extend/org/Http.php

There are no protection measures such as filtering, you can download any file directly

example：

payload：http://127.0.0.1/cms/myucms/index.php/bbs/index/download?url=/etc/passwd&name=1.txt&local=1

Download / etc / passwd on the server and save it as 1.txt

After downloading it opens as shown

Thanks for 0dod