HAX CMS PHP Insecure File Upload Vulnerability Leading to Remote Code Execution

An insecure file upload vulnerability has been identified in HAX CMS PHP versions 9.0.0 prior to 10.0.2. The issue arises in the 'save' function of 'HAXCMSFile.php', where a denylist approach is used to block certain file types from being uploaded. However, this denylist is incomplete, only preventing uploads of files with '.php', '.sh', '.js', and '.css' extensions. As a result, the system fails to adequately secure file uploads, allowing malicious files to be uploaded and potentially executed on the server.

Impact

Exploitation of this vulnerability allows authenticated users to upload files that bypass the inadequate denylist, leading to remote code execution on the server as the 'www-data' user. This user has permissions to modify, deface, or delete content across all HAX CMS sites on the server.

Reproduction

To reproduce this vulnerability, log into a HAX CMS site and enter the editor. Insert an image block and upload a file with a valid extension that is not blocked by the denylist, such as '.phar', while ensuring the file contains a web shell payload. After uploading, use a proxy tool like Burp Suite to capture the request and observe the URL of the uploaded file. Finally, browse to the uploaded file's URL and execute a command through the web shell, which will run as the 'www-data' user.

Remediation

Users can update to HAX CMS PHP version 10.0.3 or later to address this vulnerability.