CVE-2024-48180
📋 TL;DR
ClassCMS versions up to 4.8 contain a file inclusion vulnerability in the nowView method that allows attackers to include uploaded PHP files and execute arbitrary code. This affects all installations using vulnerable versions of ClassCMS. Attackers can achieve remote code execution with minimal privileges.
💻 Affected Systems
- ClassCMS
📦 What is this software?
Classcms by Classcms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through remote code execution, allowing attackers to install malware, steal data, pivot to other systems, or establish persistent backdoors.
Likely Case
Remote code execution leading to website defacement, data theft, or deployment of web shells for further attacks.
If Mitigated
Limited impact if file uploads are restricted, but still potential for information disclosure through local file inclusion.
🎯 Exploit Status
Public exploit code is available on GitHub, making exploitation trivial for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 4.8
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Upgrade ClassCMS to version newer than 4.8. 2. If upgrade not possible, apply manual patch to /class/cms/cms.php to sanitize file inclusion in nowView method. 3. Remove any suspicious files from /class/template directory.
🔧 Temporary Workarounds
Restrict file uploads
allPrevent PHP file uploads to /class/template directory
# Add to .htaccess in /class/template directory:
<FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
Disable vulnerable method
allTemporarily disable or restrict access to the nowView method
# Add input validation in /class/cms/cms.php around line with nowView method
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file inclusion patterns
- Restrict directory permissions and implement strict file upload validation
🔍 How to Verify
Check if Vulnerable:
Check ClassCMS version in admin panel or by examining source files. If version <= 4.8, system is vulnerable.Check Version:
Check /admin/index.php or look for version information in source filesVerify Fix Applied:
Verify version is > 4.8 and test that file inclusion attempts in nowView method are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion attempts in web server logs
- Requests to /class/cms/cms.php with suspicious parameters
- PHP file uploads to /class/template directory
Network Indicators:
- HTTP requests with file inclusion patterns targeting the vulnerable endpoint
SIEM Query:
web.url:*cms.php* AND (web.param:*template* OR web.param:*include*)