CVE-2024-44916
📋 TL;DR
This vulnerability in Seacms v13.1 allows attackers to inject malicious IP parameters through the admin_ip.php file, which are then written to a configuration file and can lead to arbitrary command execution. Attackers with access to the admin interface can potentially gain full system control. All Seacms v13.1 installations with the vulnerable admin_ip.php component are affected.
💻 Affected Systems
- Seacms
📦 What is this software?
Seacms by Seacms
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level command execution, data exfiltration, and complete control over the web server and underlying system.
Likely Case
Web server compromise leading to data theft, defacement, or installation of backdoors and malware.
If Mitigated
Limited impact due to proper access controls, input validation, and file permission restrictions.
🎯 Exploit Status
Exploitation requires admin access or ability to reach the vulnerable endpoint. Public proof-of-concept exists in GitHub repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: http://seacms.com
Restart Required: No
Instructions:
1. Check Seacms official website for security updates. 2. If patch available, download and apply according to vendor instructions. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Restrict admin access
allLimit access to admin_ip.php file using web server configuration or firewall rules.
# Apache: <Location /admin_ip.php> Require ip 192.168.1.0/24 </Location>
# Nginx: location /admin_ip.php { allow 192.168.1.0/24; deny all; }
File permission hardening
linuxSet strict permissions on data/admin/ip.php to prevent unauthorized writes.
chmod 644 /path/to/data/admin/ip.php
chown root:www-data /path/to/data/admin/ip.php
🧯 If You Can't Patch
- Implement strict input validation and sanitization for IP parameters in admin_ip.php
- Disable or remove the admin_ip.php file if not required for functionality
🔍 How to Verify
Check if Vulnerable:
Check if admin_ip.php exists and is accessible. Test with controlled input to see if it writes to data/admin/ip.php without proper validation.Check Version:
Check Seacms version in configuration files or admin dashboard. Common location: /data/config.php or similar.Verify Fix Applied:
Test the vulnerable endpoint with malicious input and verify it no longer executes commands or writes dangerous content to configuration files.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin_ip.php with action=set
- Suspicious IP patterns in data/admin/ip.php file
- Command execution attempts in web server logs
Network Indicators:
- Traffic to admin_ip.php from unexpected sources
- Outbound connections from web server to suspicious IPs post-exploitation
SIEM Query:
source="web_server" AND uri="/admin_ip.php" AND method="POST" AND params.action="set"