CVE-2022-28523
📋 TL;DR
HongCMS 3.0.0 contains an arbitrary file deletion vulnerability in the template management component. Attackers can delete any file on the server by exploiting the /admin/index.php/template/ajax?action=delete endpoint. This affects all HongCMS 3.0.0 installations with admin panel access.
💻 Affected Systems
- HongCMS
📦 What is this software?
Hongcms by Hongcms Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to service disruption, data loss, or privilege escalation by deleting authentication/configuration files.
Likely Case
Website defacement or denial of service by deleting template files, configuration files, or uploaded content, causing application malfunction.
If Mitigated
Limited impact if proper file permissions and access controls prevent deletion of critical system files outside the web directory.
🎯 Exploit Status
Exploitation requires admin authentication. The vulnerability is simple to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.1 or later
Vendor Advisory: https://github.com/Neeke/HongCMS/issues/17
Restart Required: No
Instructions:
1. Backup your HongCMS installation and database. 2. Download HongCMS 3.0.1 or later from the official repository. 3. Replace the vulnerable files with the patched version. 4. Verify the /admin/index.php/template/ajax endpoint has proper input validation.
🔧 Temporary Workarounds
Restrict Admin Panel Access
allLimit access to the admin panel to trusted IP addresses only
# Add to .htaccess or web server config
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8
Disable Template Management
linuxRemove or restrict access to the vulnerable template/ajax endpoint
# Rename or remove the vulnerable file
mv /path/to/HongCMS/admin/index.php/template/ajax /path/to/HongCMS/admin/index.php/template/ajax.disabled
🧯 If You Can't Patch
- Implement strict file permissions (chmod 644 for files, 755 for directories) to limit what files can be deleted
- Deploy a web application firewall (WAF) with rules to block file deletion attempts through the template endpoint
🔍 How to Verify
Check if Vulnerable:
Check if HongCMS version is 3.0.0 and the /admin/index.php/template/ajax?action=delete endpoint exists without proper input validationCheck Version:
grep -r "version.*3.0.0" /path/to/hongcms/ || cat /path/to/hongcms/version.txtVerify Fix Applied:
Verify HongCMS version is 3.0.1 or later, and test that the template/ajax endpoint properly validates file paths before deletion📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /admin/index.php/template/ajax with action=delete parameter
- File deletion events in system logs corresponding to web server process
Network Indicators:
- Unusual file deletion patterns via admin panel
- Multiple delete requests to template endpoint in short time
SIEM Query:
source="web_logs" AND uri_path="/admin/index.php/template/ajax" AND (action="delete" OR method="POST")