CVE-2022-25104
📋 TL;DR
HorizontCMS v1.0.0-beta.2 contains an arbitrary file download vulnerability in the /admin/file-manager/ component that allows authenticated attackers to download any file from the server. This affects all installations running the vulnerable version. Attackers can access sensitive files including configuration files, source code, and system files.
💻 Affected Systems
- HorizontCMS
📦 What is this software?
Horizontcms by Horizontcms Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through downloading sensitive configuration files containing database credentials, SSH keys, or other secrets leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive files including database credentials, application source code, and configuration files, potentially leading to data breaches or further exploitation.
If Mitigated
Limited impact with proper access controls, network segmentation, and file system permissions preventing access to critical system files.
🎯 Exploit Status
Exploitation requires admin credentials. The vulnerability is well-documented in public GitHub issues with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.0.0-beta.3 or later
Vendor Advisory: https://github.com/ttimot24/HorizontCMS/issues/43
Restart Required: Yes
Instructions:
1. Backup your current installation and database. 2. Download the latest version from the official repository. 3. Replace all files with the new version. 4. Restart the web server service.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit access to the admin panel to specific IP addresses or networks only.
# Apache: RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.
RewriteRule ^admin/ - [F]
# Nginx: location /admin/ { allow 192.168.1.0/24; deny all; }
Disable File Manager
linuxRemove or rename the vulnerable file-manager component directory.
mv /path/to/horizontcms/admin/file-manager /path/to/horizontcms/admin/file-manager.disabled
🧯 If You Can't Patch
- Implement strict network access controls to limit admin panel access to trusted IP addresses only.
- Apply file system permissions to restrict access to sensitive directories and files outside the web root.
🔍 How to Verify
Check if Vulnerable:
Check if running HorizontCMS v1.0.0-beta.2 and test if authenticated admin can access /admin/file-manager/ with directory traversal parameters.Check Version:
grep -r "version.*beta.2" /path/to/horizontcms/ || cat /path/to/horizontcms/composer.json | grep versionVerify Fix Applied:
Verify version is v1.0.0-beta.3 or later and test that file download attempts with traversal parameters are blocked.📡 Detection & Monitoring
Log Indicators:
- Multiple requests to /admin/file-manager/ with ../ patterns
- Unusual file access patterns from admin users
- Access to files outside expected web directories
Network Indicators:
- HTTP requests containing directory traversal sequences (../) to admin endpoints
- Unusual file downloads from admin interface
SIEM Query:
source="web_logs" AND uri="/admin/file-manager/*" AND (uri="*../*" OR uri="*..%2f*")