Web development applications contain bugs that allow you to execute any command on the server.
Cybersecurity experts at PT Swarm have discovered 3 cross-site scripting (XSS) vulnerabilities in popular open-source applications that can cause remote code execution (RCE). Bugs are contained in the web development applications Evolution CMS, FUDForum and Gitbucket.
An XSS attack allows an attacker to run JavaScript code in the victim’s browser, which can steal cookies or redirect the user to a phishing site.
A bug in Evolution CMS V3.1.8 allows a hacker to launch a reflected (non-persistent) XSS attack in different places in the admin section. When attacking an administrator authorized in the system, the “index.php” file will be overwritten with the code that the cybercriminal placed in the payload.
The second vulnerability in FUDForum v3.1.1 allows a hacker to launch a persistent (stored) XSS attack. The FUDforum admin panel has a file manager that allows you to upload files to the server, including files with a PHP extension. An attacker can use persistent XSS to download a PHP file that can execute any command on the server.
A flaw in Gitbucket v4.37.1 could allow a hacker to launch a persistent XSS attack in various locations. A cybercriminal might try to use it to execute code on the server. In addition, the admin panel has tools for executing SQL queries to access the database.
GitBucket uses the H2 database engine by default. There is a public remote code execution exploit for this database. To carry out an attack, a hacker simply needs to create a PoC code based on this exploit, upload it to a repository and use it during the attack.
At the moment, information about the discovered vulnerabilities has been brought to the attention of users. Fixes are available in the official repositories applications: