Executive Summary

This vulnerability in Blackcat CMS 1.4 allows authenticated administrators to upload malicious PHP files via the jQuery plugin manager. Specifically, an attacker with admin access can upload a ZIP file containing a PHP shell script. Once uploaded, the attacker can execute arbitrary system commands on the server by accessing the uploaded PHP file with a 'code' parameter. This happens because the system does not properly validate or sanitize uploaded plugin files, enabling remote code execution under the web server's privileges. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to remote code execution on the server hosting Blackcat CMS, allowing an attacker with admin credentials to run arbitrary system commands. This can compromise the confidentiality, integrity, and availability of the system, potentially leading to data theft, system manipulation, or denial of service. Since the attacker needs authenticated admin access, the impact is severe if such credentials are compromised or misused. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Blackcat CMS version 1.4 is running and if the jQuery plugin manager endpoint is accessible. Specifically, you can verify if an uploaded malicious PHP file exists in the directory `/upload/modules/lib_jquery/plugins/poc/`. To detect exploitation, you can look for HTTP requests to URLs like `/upload/modules/lib_jquery/plugins/poc/poc.php?code=<command>`. Additionally, monitoring for unusual POST requests to `/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr` that upload ZIP files containing PHP scripts can help detect attempts. Example commands include using curl or wget to test the upload endpoint (with authenticated admin session) and checking for the presence of suspicious files on the server. For example, on the server, you can run: `find /path/to/blackcatcms/upload/modules/lib_jquery/plugins/ -name '*.php'` to find unexpected PHP files. Also, monitoring web server logs for access to `poc.php` with query parameters can indicate exploitation attempts. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the jQuery plugin manager to trusted administrators only, ensuring that only authorized users can upload plugins. Applying patches or updates from the vendor that fix the unrestricted file upload vulnerability is critical. If no patch is available, disable or restrict the plugin upload functionality temporarily. Additionally, scan the server for any uploaded malicious PHP files in the plugin directories and remove them. Implement web application firewall (WAF) rules to block suspicious upload attempts and access to uploaded PHP files with query parameters that execute system commands. Finally, monitor logs for any signs of exploitation and consider isolating or taking the affected system offline until it is secured. [1, 2]

Useful 0 Not Useful 0