CVE-2020-37117
📋 TL;DR
This vulnerability allows authenticated administrators in jizhiCMS 1.6.7 to download arbitrary files from the server by exploiting the admin plugins update endpoint. Attackers can craft POST requests with malicious parameters to access sensitive system files. Only jizhiCMS installations with administrator accounts are affected.
💻 Affected Systems
- jizhiCMS
📦 What is this software?
Jizhicms by Jizhicms
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through downloading sensitive files like /etc/passwd, SSH keys, database credentials, or configuration files containing secrets.
Likely Case
Data exfiltration of sensitive information, credential theft, and potential privilege escalation to full system access.
If Mitigated
Limited impact if proper access controls, file permissions, and network segmentation are in place to restrict administrator privileges.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB. Requires administrator credentials but exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.8 or later
Vendor Advisory: https://www.jizhicms.cn/
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download jizhiCMS 1.6.8 or later from the official website. 3. Replace vulnerable files with patched versions. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrator account access to trusted IP addresses only
# Configure web server (Apache/Nginx) to restrict /admin/ path to specific IPs
# Example Apache: Require ip 192.168.1.0/24
# Example Nginx: allow 192.168.1.0/24; deny all;
File Permission Hardening
linuxSet strict file permissions on sensitive directories
chmod 600 /path/to/sensitive/files
chown root:root /etc/passwd /etc/shadow
chmod 000 /etc/shadow
🧯 If You Can't Patch
- Implement strict network segmentation to isolate jizhiCMS from sensitive systems
- Enable detailed logging and monitoring of all admin panel activities and file access attempts
🔍 How to Verify
Check if Vulnerable:
Check if running jizhiCMS version 1.6.7. Review admin panel access logs for suspicious POST requests to plugins update endpoint with filepath/download_url parameters.Check Version:
Check jizhiCMS configuration files or admin panel for version informationVerify Fix Applied:
Verify version is 1.6.8 or later. Test that arbitrary file downloads via the plugins update endpoint are no longer possible.📡 Detection & Monitoring
Log Indicators:
- POST requests to /admin/plugins/update with filepath or download_url parameters
- Unusual file access patterns from admin accounts
- Large file downloads from admin interface
Network Indicators:
- Unexpected outbound traffic from jizhiCMS server following admin panel access
- Traffic patterns indicating file exfiltration
SIEM Query:
source="web_logs" AND (uri_path="/admin/plugins/update" AND method="POST") AND (params CONTAINS "filepath" OR params CONTAINS "download_url")