CVE-2024-44724
📋 TL;DR
AutoCMS v5.4 contains a PHP code injection vulnerability in the txtsite_url parameter at /admin/site_add.php, allowing attackers to execute arbitrary PHP code on the server. This affects all AutoCMS v5.4 installations with the vulnerable admin interface accessible. Attackers can gain full control of affected web servers.
💻 Affected Systems
- AutoCMS
📦 What is this software?
Autocms by Autocms Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, lateral movement to internal networks, and persistent backdoor installation.
Likely Case
Webshell deployment allowing file system access, database compromise, and credential harvesting from the server.
If Mitigated
Limited impact with proper network segmentation, WAF filtering, and restricted admin access, potentially preventing exploitation.
🎯 Exploit Status
Exploitation requires admin access to reach /admin/site_add.php. Simple PHP code injection via parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None found
Restart Required: No
Instructions:
No official patch available. Consider upgrading to newer AutoCMS version if available, or implement workarounds.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd input validation to sanitize txtsite_url parameter in site_add.php
Edit /admin/site_add.php to add: $txtsite_url = filter_var($_POST['txtsite_url'], FILTER_SANITIZE_URL);
Disable Admin Interface
linuxTemporarily disable or restrict access to /admin/ directory
Add to .htaccess: Deny from all
Or rename /admin/ directory
🧯 If You Can't Patch
- Implement strict network access controls to restrict admin interface to trusted IPs only
- Deploy web application firewall (WAF) with PHP injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check if AutoCMS version is 5.4 and /admin/site_add.php exists and is accessibleCheck Version:
Check AutoCMS configuration files or admin panel for version informationVerify Fix Applied:
Test txtsite_url parameter with PHP code injection payloads after implementing fixes📡 Detection & Monitoring
Log Indicators:
- POST requests to /admin/site_add.php with suspicious PHP code in parameters
- Unusual file creation in web root directory
Network Indicators:
- HTTP requests containing eval(), system(), or base64_decode() in URL parameters
- Traffic to /admin/site_add.php from unexpected sources
SIEM Query:
source="web_logs" AND uri="/admin/site_add.php" AND (param="txtsite_url" AND value MATCHES "(eval|system|base64_decode|php://)")