Login Sign Up

CVE-2022-28918

8.1 HIGH

📋 TL;DR

GreenCMS v2.3.0603 contains an arbitrary file deletion vulnerability in the plugin deletion handler. Attackers can delete arbitrary files on the server by manipulating the plugin_name parameter. This affects all GreenCMS v2.3.0603 installations with admin access.

💻 Affected Systems

Products:
  • GreenCMS
Versions: v2.3.0603
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin access to exploit. All installations of this specific version are vulnerable.

📦 What is this software?

Greencms by Njtech

View all CVEs affecting Greencms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to service disruption, data loss, or privilege escalation.

🟠

Likely Case

Website defacement or data loss through deletion of web application files, configuration files, or user uploads.

🟢

If Mitigated

Limited impact if proper file permissions restrict deletion to non-critical files and regular backups exist.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin credentials. The vulnerability is publicly documented with proof-of-concept details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.3.0604 or later

Vendor Advisory: https://github.com/GreenCMS/GreenCMS/issues/116

Restart Required: No

Instructions:

1. Backup your GreenCMS installation and database. 2. Download the latest version from the official repository. 3. Replace vulnerable files with patched versions. 4. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit admin panel access to trusted IP addresses only.

# Configure web server (Apache example)
# In .htaccess or virtual host config:
<Location /index.php>
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.0/24
</Location>

Disable Vulnerable Endpoint

all

Block access to the specific vulnerable URL pattern.

# Apache
RewriteEngine On
RewriteCond %{QUERY_STRING} m=admin&c=custom&a=plugindelhandle [NC]
RewriteRule ^index\.php$ - [F,L]

# Nginx
location ~* /index.php {
    if ($args ~* "m=admin&c=custom&a=plugindelhandle") {
        return 403;
    }
}

🧯 If You Can't Patch

  • Implement strict file system permissions to limit what files the web server user can delete.
  • Enable comprehensive logging and monitoring of file deletion operations and admin panel access.

🔍 How to Verify

Check if Vulnerable:

Check if GreenCMS version is exactly v2.3.0603 by examining version files or admin panel. Test the endpoint with a non-critical test file deletion.

Check Version:

Check GreenCMS version in /config/version.php or admin panel dashboard.

Verify Fix Applied:

After patching, attempt to exploit the vulnerability with a test file. Verify the file is not deleted and the endpoint returns appropriate error.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /index.php with parameters m=admin, c=custom, a=plugindelhandle
  • File deletion events in system logs from web server process
  • Failed file deletion attempts in application logs

Network Indicators:

  • POST/GET requests to vulnerable endpoint pattern
  • Unusual admin panel access from unexpected IPs

SIEM Query:

source="web_server" AND (url="*index.php*" AND query="*m=admin*c=custom*a=plugindelhandle*")

📊 Metadata

CVE ID: CVE-2022-28918
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Published: April 26, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON