yanyutao0402 ChanCMS Code Injection Vulnerability in Gather.js
Vulnerability
A code injection vulnerability has been identified in yanyutao0402 ChanCMS versions through 3.3.2. The issue arises in the 'getArticle' function within 'app/modules/cms/controller/gather.js', where input parameters are not properly validated. This lack of validation allows for code injection, which can be exploited to execute commands remotely, but only after logging into the application.
Impact
Exploitation of this vulnerability allows for code injection, which can lead to remote command execution on the server where ChanCMS is hosted.
Reproduction
To reproduce this vulnerability, log into the ChanCMS admin panel using the credentials 'chancms' for the username and '123456' for the password. Once logged in, send a POST request to '/cms/collect/getArticle' or a GET request to '/cms/gather/getArticle' with a payload that includes the 'parseData' parameter. The payload should be crafted to exploit the code injection vulnerability by injecting JavaScript code that, when executed, performs a command injection, such as executing 'whoami' or 'id' commands. The response should indicate successful execution of the injected command, demonstrating the vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.