Source: cve@mitre.org
Multiple directory traversal vulnerabilities in index.php in XCMS 1.82 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the s parameter to the admin page or (2) the pg parameter to an arbitrary module, as demonstrated by reading a password hash in a .dtb file under dati/membri/ or by executing embedded PHP code in images under uploads/avatar/.
XCMS 1.82 and earlier versions are vulnerable to multiple directory traversal flaws, allowing attackers to read sensitive files and potentially execute arbitrary code. Attackers can exploit these vulnerabilities by manipulating the s and pg parameters in the index.php script, leading to unauthorized access to system files and potentially complete system compromise.
Step 1: Parameter Injection: The attacker crafts a malicious URL containing a directory traversal payload in either the s parameter (admin page) or the pg parameter (module). For example, index.php?s=../../../../etc/passwd or index.php?pg=../../uploads/avatar/malicious.php.
Step 2: Path Construction: The vulnerable index.php script uses the attacker-supplied parameter value to construct a file path.
Step 3: File Access: Due to the lack of input validation, the script attempts to access the file specified by the crafted path, which can be outside of the intended web root.
Step 4: Information Disclosure/Code Execution: If the target file is readable (e.g., /etc/passwd), the attacker can read its contents. If the target is a PHP file within a writable directory (e.g., uploads/avatar/), the attacker can potentially execute arbitrary code by uploading a malicious PHP file and then accessing it via the pg parameter.
The vulnerability stems from insufficient input validation and sanitization of user-supplied parameters (s and pg) within the index.php script. Specifically, the application fails to properly sanitize the input before using it to construct file paths. This allows attackers to inject ../ sequences in the parameters, effectively traversing the directory structure and accessing files outside the intended web root. The lack of proper input validation allows for the construction of malicious file paths, leading to arbitrary file read and potentially remote code execution if the attacker can control the contents of a file within a writable directory (e.g., uploads/avatar/). The root cause is a missing or inadequate check on user-controlled input used in file path construction, leading to a path traversal vulnerability.
While no specific APTs are definitively linked to this specific CVE, the ease of exploitation and the potential for complete system compromise make it a likely target for various threat actors. This vulnerability could be leveraged by attackers for initial access, data exfiltration, or further lateral movement within a compromised network. Not listed on CISA KEV.
Network Intrusion Detection Systems (IDS) can be configured to detect malicious URL patterns containing ../ sequences in the s or pg parameters of requests to index.php.
Web Application Firewalls (WAFs) can be used to block requests containing directory traversal attempts.
File integrity monitoring (FIM) can be used to detect unauthorized access or modification of sensitive files, such as configuration files or password files.
Review web server access logs for suspicious requests, particularly those targeting index.php with unusual parameter values.
Analyze web server error logs for file access errors that might indicate a successful exploit attempt.
Upgrade to a patched version of XCMS (version 1.83 or later).
Implement robust input validation and sanitization for all user-supplied parameters, especially those used in file path construction. This includes filtering out or encoding ../ sequences and other potentially malicious characters.
Restrict file access permissions to the minimum necessary for the web application to function. Ensure that the web server user does not have unnecessary privileges.
Implement a Web Application Firewall (WAF) to filter malicious requests.
Regularly scan the web application for vulnerabilities using automated tools.
Review and harden the web server configuration to prevent unauthorized access to sensitive files.
Consider using a Content Security Policy (CSP) to mitigate the impact of potential cross-site scripting (XSS) vulnerabilities that could be chained with this directory traversal.