PublicCMS icon indicating copy to clipboard operation
PublicCMS copied to clipboard
verified publisher icon sanluan

PublicCMS system has a command execution vulnerability(CVE-2025-57516)

Open dengxmenglihua opened this issue 4 months ago • 1 comments

The PublicCMS system has a command execution vulnerability(CVE-2025-57516)

Download Link

https://www.publiccms.com/download.html

Download the latest version PublicCMS-V5.202506.b

Image

Only two of the latest versions have been tested, and both have this issue: PublicCMS-V5.202506.a and PublicCMS-V5.202506.b.

The following tests were conducted using the latest version, PublicCMS-V5.202506.b.

Vulnerable Versions

PublicCMS-V5.202506.a, PublicCMS-V5.202506.b

Vulnerability Principle

As shown in the figure below, when the file names are backupdb.bat and backupdb.sh, the value of cmdarray is a collection of the database name, database username, and database password. These values are not detected or filtered and are passed as parameters to the backupDB.bat file. Only the name of the file to be executed is verified.

Image

The code, as shown in the figure, executes the backupDB.bat file.

Image

The backupDB.bat file is shown in the figure below. The database name, database username, and database password are passed into this file as parameters and directly concatenated. The code is ultimately executed at the position marked by the red box in the image.

Image

Vulnerability Reproduction

  1. Create a database using phpstudy with a password containing |calc, such as publiccms|calc. The same applies to the database name or username.
Image
  1. Install the system.

Enter the malicious database password as shown in the figure below.

Image
  1. After successful installation, log in to the backend.
Image
  1. Call the interface to execute commands.

Menu trigger location: Site - Execute Script

Vulnerable interface: http://127.0.0.1:8084/admin/sysSite/execScript?navTabId=sysSite/script

I am using a Windows system. Select backupDB.bat, click execute, and the vulnerability is successfully triggered.

Image Image

Practical exploitation:

  1. The target system is in a pending installation state.
  2. Set up a database with a malicious password on a public network, such as publiccms|calc.
  3. After successful setup, log in to the backend and call the vulnerable interface.

Other Verification Methods

By directly modifying the database.properties file, such as changing jdbc.username to publiccms2|calc.

Image

The vulnerability is also successfully triggered.

Image

If developers use command separators when setting passwords, it can also cause issues.

Fix Method

Restrict the use of command separators such as ;, &, | in database names, database usernames, and database passwords.

dengxmenglihua avatar Aug 06 '25 10:08 dengxmenglihua

这是来自QQ邮箱的假期自动回复邮件。   您好,我最近正在休假中,无法亲自回复您的邮件。我将在假期结束后,尽快给您回复。

JDragonZ avatar Aug 06 '25 10:08 JDragonZ