CVE-2023-51154
📋 TL;DR
Jizhicms v2.5 contains an arbitrary file download vulnerability in the admin plugin controller that allows attackers to download any file from the server. This affects all Jizhicms v2.5 installations with admin access enabled. Attackers can potentially access sensitive configuration files, database credentials, or source code.
💻 Affected Systems
- Jizhicms
📦 What is this software?
Jizhicms by Jizhicms
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through downloading configuration files containing database credentials, SSH keys, or other sensitive data leading to full system takeover.
Likely Case
Exfiltration of sensitive files including database credentials, configuration files, and source code, potentially enabling further attacks.
If Mitigated
Limited impact if proper access controls and file permissions restrict sensitive file access, though some information disclosure may still occur.
🎯 Exploit Status
Exploitation requires admin credentials but is straightforward once authenticated. Public proof-of-concept exists in the referenced issue tracker.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.5.1 or later
Vendor Advisory: https://gitee.com/blue_ty/cms/issues/I8O7IV
Restart Required: No
Instructions:
1. Download latest version from official repository. 2. Backup current installation. 3. Replace affected files with patched versions. 4. Verify functionality.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit admin panel access to trusted IP addresses only
# Configure web server (Apache example)
<Location /admin>
Require ip 192.168.1.0/24
</Location>
# Configure web server (Nginx example)
location /admin {
allow 192.168.1.0/24;
deny all;
}
File Permission Restrictions
linuxSet strict file permissions on sensitive directories
# Restrict access to sensitive directories
chmod 750 /path/to/jizhicms/admin/
chmod 640 /path/to/jizhicms/config/*
chmod 640 /path/to/jizhicms/database/*
🧯 If You Can't Patch
- Disable admin panel entirely if not needed
- Implement web application firewall (WAF) rules to block requests to /admin/c/PluginsController.php
🔍 How to Verify
Check if Vulnerable:
Check if running Jizhicms v2.5 and test if /admin/c/PluginsController.php allows file downloads without proper validationCheck Version:
Check version.php file or admin panel dashboard for version informationVerify Fix Applied:
Verify version is v2.5.1 or later and test that file download functionality now validates file paths properly📡 Detection & Monitoring
Log Indicators:
- Unusual file download requests to /admin/c/PluginsController.php
- Multiple failed authentication attempts followed by successful admin login and file downloads
- Requests for sensitive file paths like ../../config/database.php
Network Indicators:
- HTTP requests with file download parameters to admin endpoints
- Traffic patterns showing admin panel access from unusual locations
SIEM Query:
source="web_access.log" AND uri="/admin/c/PluginsController.php" AND (param="file" OR param="download")