CVE-2025-51651
📋 TL;DR
An authenticated arbitrary file download vulnerability in Mccms v2.7.0 allows attackers with admin access to download any file from the server via a crafted GET request to /admin/Backups.php. This affects all Mccms v2.7.0 installations with admin accounts. Attackers can access sensitive files like configuration files, database credentials, or source code.
💻 Affected Systems
- Mccms
📦 What is this software?
Mccms by Chshcms
⚠️ Risk & Real-World Impact
Worst Case
Attackers download critical system files (e.g., /etc/passwd, configuration files with database credentials), leading to full system compromise, data theft, or lateral movement.
Likely Case
Attackers download web application configuration files containing database credentials, leading to database compromise and potential data exfiltration.
If Mitigated
With proper access controls and network segmentation, impact is limited to files accessible by the web server user, potentially exposing application data but not system files.
🎯 Exploit Status
Exploitation requires admin credentials but is simple via crafted GET requests. Public proof-of-concept exists in GitHub references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
No official patch available. Check vendor website for updates or consider workarounds.
🔧 Temporary Workarounds
Restrict Access to /admin/Backups.php
allBlock or restrict access to the vulnerable endpoint using web server configuration or application firewalls.
# Apache: Add to .htaccess or virtual host config
<Files "Backups.php">
Order deny,allow
Deny from all
</Files>
# Nginx: Add to server block
location ~ /admin/Backups\.php$ {
deny all;
return 403;
}
Implement Input Validation
allModify Backups.php to validate file paths and restrict downloads to backup directories only.
# Example PHP code snippet to add to Backups.php
$allowed_path = '/path/to/backups/';
$requested_file = $_GET['file'];
if (strpos(realpath($requested_file), $allowed_path) !== 0) {
die('Access denied');
}
🧯 If You Can't Patch
- Implement strong authentication and limit admin access to trusted IP addresses only.
- Monitor and alert on unusual file download patterns from the /admin/Backups.php endpoint.
🔍 How to Verify
Check if Vulnerable:
As an authenticated admin, attempt to download a known file (e.g., /etc/passwd on Linux) via GET request to /admin/Backups.php?file=/etc/passwd. If successful, system is vulnerable.Check Version:
Check Mccms version in configuration files or admin panel. Look for version 2.7.0 in source code or documentation.Verify Fix Applied:
After applying workarounds, repeat the test; access should be denied or restricted. Check that file downloads are limited to intended backup directories.📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /admin/Backups.php with unusual file parameters (e.g., paths outside backup directories)
- Large or repeated downloads from the Backups.php endpoint
Network Indicators:
- Unusual traffic patterns to /admin/Backups.php from unauthorized IPs
SIEM Query:
source="web_logs" AND uri="/admin/Backups.php" AND (query CONTAINS "file=" AND NOT query CONTAINS "backup")