HAX CMS PHP Command Injection Vulnerability in Git Import Functionality

A command injection vulnerability has been identified in HAX CMS PHP versions through 10.0.6. The issue arises in the 'gitImportSite' functionality, which fails to properly validate URL input from POST requests. This insufficient validation allows authenticated attackers to inject arbitrary OS commands via the 'set_remote' function, which uses 'proc_open' to execute the commands on the backend server. The command output can be exfiltrated through an HTTP request.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary OS commands on the backend server, with the ability to exfiltrate the command output via an HTTP request.

Reproduction

To reproduce this vulnerability, authenticate and send a POST request to the 'gitImportSite' endpoint with a crafted URL that includes command injection payloads, such as Bash commands. A valid JSON Web Token (JWT) is required, which can be obtained by capturing a request to another API endpoint, such as 'archiveSite'. After injecting the payload, the command output can be retrieved from the HTTP response.

Remediation

Users can upgrade to HAX CMS PHP version 11.0.3 or later, where this vulnerability has been patched.