MacCMS Missing Authentication Vulnerability in Timming API Endpoint

A missing authentication vulnerability has been identified in MacCMS version 2025.1000.4052, specifically within the Timming API endpoint. The issue arises in the file application/api/controller/Timming.php, where the backend authentication check is bypassed, allowing unauthenticated remote attackers to execute scheduled tasks through the public API. This exploitation can trigger various administrative operations, depending on the tasks configured in the backend.

Impact

Exploitation of this vulnerability allows unauthorized users to execute backend scheduled tasks, potentially leading to denial-of-service conditions, server-side request forgery, or other unintended backend actions.

Reproduction

To reproduce this vulnerability, first enable a scheduled task in the MacCMS backend and configure it to perform a task that can be easily verified, such as clearing the cache. Once the task is enabled, send a GET request to the Timming API endpoint, including the name of the scheduled task and the enforce parameter. The response will confirm that the task was executed, demonstrating the successful exploitation of the authentication bypass.

Remediation

It is recommended to remove the authentication bypass in the Timming API endpoint and implement strong authentication measures, such as HMAC signature authentication or a fixed source IP whitelist. Additionally, backend tasks should not be directly exposed through public APIs without proper authentication and permission checks.