CVE-2024-34315
📋 TL;DR
CmsEasy v7.7.7.9 contains a local file inclusion vulnerability in the fckedit_action method of /admin/template_admin.php that allows attackers to read arbitrary files using the file_get_contents function. This affects all installations running the vulnerable version, potentially exposing sensitive configuration files, credentials, and system information.
💻 Affected Systems
- CmsEasy
📦 What is this software?
Cmseasy by Cmseasy
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive files like configuration files containing database credentials, system files, or source code, leading to complete system compromise through credential theft or further exploitation.
Likely Case
Attackers read configuration files to obtain database credentials or other sensitive information, potentially leading to data breaches or unauthorized access to backend systems.
If Mitigated
With proper access controls and file permissions, impact is limited to reading non-sensitive files or files outside accessible directories.
🎯 Exploit Status
Exploitation requires sending crafted requests to the vulnerable endpoint. Public proof-of-concept details are available in the referenced GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available, or apply workarounds.
🔧 Temporary Workarounds
Restrict Access to Admin Interface
allLimit access to the /admin directory to trusted IP addresses only using web server configuration.
# For Apache: Add to .htaccess in admin directory
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# For Nginx: Add to server block
location /admin {
allow 192.168.1.0/24;
deny all;
}
Input Validation in template_admin.php
allModify the fckedit_action method to validate and sanitize file paths before passing to file_get_contents.
# Example PHP code addition:
$file = $_GET['file'];
if (!preg_match('/^[a-zA-Z0-9_\-\.]+$/', $file)) {
die('Invalid file parameter');
}
# Ensure file is within allowed directory
$allowed_path = '/path/to/allowed/files/';
$full_path = realpath($allowed_path . $file);
if (strpos($full_path, $allowed_path) !== 0) {
die('Access denied');
}
🧯 If You Can't Patch
- Implement strict access controls to the admin interface using IP whitelisting.
- Monitor and log all access attempts to the /admin/template_admin.php endpoint for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if the file /admin/template_admin.php exists and contains the fckedit_action method with file_get_contents calls without proper input validation. Test by sending a request to the endpoint with a file parameter pointing to a known file.Check Version:
Check the version in the CmsEasy installation files or admin panel. Look for version indicators in source code or configuration files.Verify Fix Applied:
After applying workarounds, test the endpoint with malicious file parameters to ensure it rejects unauthorized file access attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /admin/template_admin.php with file parameters containing path traversal sequences (e.g., ../../etc/passwd).
- Multiple failed attempts to access sensitive files via the vulnerable endpoint.
Network Indicators:
- HTTP requests to /admin/template_admin.php with file parameters containing unusual paths or traversal sequences.
SIEM Query:
source="web_logs" AND uri="/admin/template_admin.php" AND query="*file=*" AND (query="*../*" OR query="*..\\*" OR query="*/etc/*" OR query="*/windows/*")