CVE-2020-35656
📋 TL;DR
This vulnerability in Jaws CMS allows authenticated administrators to upload and execute arbitrary PHP files, leading to remote code execution. It affects Jaws CMS installations up to version 1.8.0. Only authenticated administrators can exploit this vulnerability.
💻 Affected Systems
- Jaws CMS
📦 What is this software?
Jaws by Jaws Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the web server, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Attacker uploads web shell and establishes persistent access to the server, enabling data exfiltration, credential harvesting, or using the server as a pivot point.
If Mitigated
With proper access controls and file upload restrictions, impact is limited to administrators who already have high privileges.
🎯 Exploit Status
Exploit requires administrator credentials. Multiple public proof-of-concept exploits exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.1 or later
Vendor Advisory: https://github.com/jaws-project/jaws
Restart Required: No
Instructions:
1. Backup your Jaws installation and database. 2. Download the latest version from the official repository. 3. Replace all files with the new version. 4. Run any database update scripts if provided.
🔧 Temporary Workarounds
Restrict File Uploads
allBlock PHP file uploads through web server configuration
# For Apache: add to .htaccess
<FilesMatch "\.php$">
Deny from all
</FilesMatch>
# For Nginx: add to server block
location ~ \.php$ {
deny all;
}
Remove Vulnerable Components
linuxDisable or remove the FileBrowser gadget if not needed
# Remove or rename the FileBrowser gadget directory
rm -rf gadgets/FileBrowser/
# Or disable via admin panel if available
🧯 If You Can't Patch
- Implement strict access controls and monitor administrator accounts for suspicious activity
- Deploy web application firewall (WAF) rules to block malicious file upload patterns
🔍 How to Verify
Check if Vulnerable:
Check if Jaws version is 1.8.0 or earlier and if admin.php endpoints are accessibleCheck Version:
grep -r "define.*JAWS_VERSION" includes/ || find . -name "*.php" -exec grep -l "JAWS_VERSION" {} \;Verify Fix Applied:
Verify version is 1.8.1 or later and test that PHP file uploads are properly restricted📡 Detection & Monitoring
Log Indicators:
- POST requests to admin.php with reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser
- File uploads with .php extension via FileBrowser gadget
- Unusual administrator login patterns or from unexpected locations
Network Indicators:
- HTTP requests containing 'reqGadget=FileBrowser&reqAction=Files' with file uploads
- Traffic to unexpected PHP files in upload directories
SIEM Query:
source="web_logs" AND (uri="*/admin.php*" AND (query="*reqGadget=Components*" OR query="*reqGadget=FileBrowser*"))