arbitrary file rewrite and read in Hongcms V4.0.0 #11
Description
there is an arbitrary file read and rewrite in the backend of this cms via the link:
/hcms/admin/index.php/language/ajax
when post params : filename=..%2f..%2ftest.php&action=savelang&filecontent=%3C%3Fphp%0D%0A%0D%0Aecho+phpinfo()%3B%0D%0A%3F%3E
in the latest V4.0.0 edtion,
the cms try to use ajax to escape attacker to do same dangerous action like change file name etc
but it can also be catched by proxy
it will write your payload into any file which is writeable
we create new file test.php to check this vuln:
we can access to it via link as http://domain/your file name