baserCMS Path Traversal Vulnerability in Theme File API Allows Arbitrary File Write and Remote Code Execution

A path traversal vulnerability has been identified in baserCMS versions prior to 5.2.3, specifically within the theme file management API. This vulnerability allows authenticated administrators to write arbitrary files by exploiting the path parameter with '../' sequences. The issue can lead to remote code execution by creating a PHP file in a directory outside the theme folder. The vulnerability arises because the path parameter is not properly sanitized, enabling unauthorized file creation.

Impact

Exploitation of this vulnerability allows for arbitrary file writing, which can be leveraged to execute remote code on the server.

Reproduction

To reproduce this vulnerability, an authenticated administrator must first log into the baserCMS admin panel and obtain a JWT token. With this token, the administrator can send a POST request to the theme file creation API, including a crafted path parameter that traverses directories to reach the webroot. Once the PHP file is created, it can be accessed through the web server, executing any commands specified in the file via a GET request.

Remediation

Users are advised to update baserCMS to version 5.2.3 or later.