SeaCMS Remote Code Execution Vulnerability in admin_files.php Component

A remote code execution vulnerability has been identified in SeaCMS version 13.3. The issue arises in the admin_files.php component, where inadequate restrictions on file suffixes allow attackers to execute commands with system privileges. This is achieved by writing to the admin_files.htm file and exploiting file inclusion vulnerabilities.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where SeaCMS is installed.

Reproduction

To reproduce this vulnerability, send a POST request to '0omeqd/admin_files.php' with the 'action=save' parameter. Include a payload in the 'content' parameter that contains PHP code, such as '<?php phpinfo();?>'. The 'filedir' parameter should be set to '../uploads/../0omeqd/templets/admin_files.htm' to write the payload into a file that can be included later. After the file is written, the injected code can be executed by accessing '0omeqd/admin_files.php?action=custom', which triggers the file inclusion and executes the PHP code.