CloudPanel version(s) affected
2.5.0
Description
A critical vulnerability in the CloudPanel File Manager allows for unintended directory deletion/data loss when attempting to rename files containing non-ASCII/special characters.
How to reproduce
Upload or create a file with a non-standard name containing characters that the current File Manager UI fails to decode/display (e.g., specific UTF-8 symbols or PUA characters).
Observe the file appearing as a blank/empty entry in the CloudPanel File Manager interface.
Attempt to "Rename" this specific blank file entry to any valid string.
Observe that the operation does not simply fail; the entire parent directory (Document Root) is either deleted or cleared.
Possible Solution
No response
Additional Context
Environment
CloudPanel Version: v2.5.0 (tested on Ubuntu)
Symptom: Files with encoding issues (or specific special characters) are displayed as blank/invalid in the UI. Attempting to rename these specific "ghost" entries triggers a catastrophic failure that removes the parent directory instead of just failing the operation.
Technical Analysis
It appears the server-side wrapper for PHP’s rename() function lacks sufficient input validation. When the UI fails to identify the source file (due to encoding), the backend logic seemingly interprets the operation incorrectly, potentially falling back to an unsafe state where the parent directory is treated as the target or source of the rename command.
Expected Behavior
The File Manager should perform a validation check on the file object before executing any filesystem operation. If the source file cannot be identified or resolved, the operation should abort gracefully and return an error: "Error: Invalid file object or character encoding mismatch." Under no circumstances should the system proceed with an operation that jeopardizes the directory structure.
Severity
Critical – This results in immediate data loss and downtime for the hosted site.
CloudPanel version(s) affected
2.5.0
Description
A critical vulnerability in the CloudPanel File Manager allows for unintended directory deletion/data loss when attempting to rename files containing non-ASCII/special characters.
How to reproduce
Upload or create a file with a non-standard name containing characters that the current File Manager UI fails to decode/display (e.g., specific UTF-8 symbols or PUA characters).
Observe the file appearing as a blank/empty entry in the CloudPanel File Manager interface.
Attempt to "Rename" this specific blank file entry to any valid string.
Observe that the operation does not simply fail; the entire parent directory (Document Root) is either deleted or cleared.
Possible Solution
No response
Additional Context
Environment
CloudPanel Version: v2.5.0 (tested on Ubuntu)
Symptom: Files with encoding issues (or specific special characters) are displayed as blank/invalid in the UI. Attempting to rename these specific "ghost" entries triggers a catastrophic failure that removes the parent directory instead of just failing the operation.
Technical Analysis
It appears the server-side wrapper for PHP’s rename() function lacks sufficient input validation. When the UI fails to identify the source file (due to encoding), the backend logic seemingly interprets the operation incorrectly, potentially falling back to an unsafe state where the parent directory is treated as the target or source of the rename command.
Expected Behavior
The File Manager should perform a validation check on the file object before executing any filesystem operation. If the source file cannot be identified or resolved, the operation should abort gracefully and return an error: "Error: Invalid file object or character encoding mismatch." Under no circumstances should the system proceed with an operation that jeopardizes the directory structure.
Severity
Critical – This results in immediate data loss and downtime for the hosted site.