CVE-2024-12789 Overview
CVE-2024-12789 is a code injection vulnerability affecting PbootCMS versions up to and including 3.2.3. The flaw resides in the apps/home/controller/IndexController.php file, where improper handling of the tag argument enables attackers to inject and execute code remotely. Authenticated attackers with low privileges can exploit this issue over the network without user interaction. The vendor addressed the issue in version 3.2.4. Public disclosure of the exploit technique has occurred, increasing the likelihood of opportunistic exploitation against unpatched deployments.
Critical Impact
Remote code injection through the tag parameter in IndexController.php allows attackers to compromise PbootCMS instances and execute attacker-controlled logic on the server.
Affected Products
- PbootCMS versions up to and including 3.2.3
- Component: apps/home/controller/IndexController.php
- Fixed version: PbootCMS 3.2.4
Discovery Timeline
- 2024-12-19 - CVE-2024-12789 published to NVD
- 2025-01-10 - Last updated in NVD database
Technical Details for CVE-2024-12789
Vulnerability Analysis
The vulnerability is classified under [CWE-94] Improper Control of Generation of Code and [CWE-74] Improper Neutralization of Special Elements in Output. PbootCMS is a PHP-based content management system widely used for small business websites. The defect lies in how the IndexController parses the tag argument supplied through HTTP requests. The controller passes attacker-controlled input into a code evaluation path without adequate sanitization or escaping. This allows the injected payload to be interpreted as executable code rather than treated as data. Successful exploitation can lead to arbitrary code execution within the web application context, depending on the runtime privileges of the PHP process.
Root Cause
The root cause is unsafe handling of the tag parameter inside apps/home/controller/IndexController.php. The controller incorporates user input into a code-generation or template-evaluation routine without enforcing a strict allow-list or input validation. Because PbootCMS template tags are resolved server-side, malicious tag content is processed as executable expressions during request handling.
Attack Vector
The attack is remotely exploitable over the network and requires low privileges. An attacker crafts an HTTP request that supplies a malicious value for the tag argument routed to IndexController. When the server processes the request, the injected payload is evaluated, resulting in code execution on the host. No user interaction is required to trigger the vulnerable path. Public technical details have been published in third-party advisories, including VulDB entry #288969 and a GitHub Gist proof-of-concept resource.
No verified exploit code is reproduced here. Refer to the linked technical references for the disclosed payload structure and request format.
Detection Methods for CVE-2024-12789
Indicators of Compromise
- HTTP requests to PbootCMS endpoints containing unusual values in the tag parameter, particularly those including PHP language constructs, function calls, or backtick characters.
- Unexpected child processes spawned by the PHP-FPM or web server worker process serving PbootCMS.
- New or modified PHP files within the PbootCMS web root that do not match the deployed release artifacts.
- Outbound network connections originating from the web server to attacker infrastructure following anomalous requests to the home controller.
Detection Strategies
- Inspect web server access logs for requests targeting routes handled by IndexController with tag parameter values containing special characters, PHP tokens, or encoded payloads.
- Apply web application firewall rules that detect code-injection patterns such as eval, system, exec, and PHP short-tag sequences in query strings and POST bodies.
- Monitor file integrity of the apps/home/controller/ directory and other PbootCMS source paths for unauthorized modification.
Monitoring Recommendations
- Centralize web server, PHP error, and host process telemetry to correlate suspicious requests with subsequent process or file system activity.
- Alert on web server processes invoking shell interpreters, curl, wget, or scripting runtimes outside of normal application behavior.
- Track the installed PbootCMS version across all hosted instances and flag any deployment still on 3.2.3 or earlier.
How to Mitigate CVE-2024-12789
Immediate Actions Required
- Upgrade all PbootCMS deployments to version 3.2.4 or later, which contains the vendor fix for the tag argument handling.
- Audit apps/home/controller/IndexController.php and related template processing code for any local modifications that may reintroduce the unsafe code path.
- Review web server and application logs for prior exploitation attempts targeting the tag parameter and investigate any matches.
Patch Information
The vendor has released PbootCMS 3.2.4, which addresses CVE-2024-12789. Administrators should obtain the update from the official PbootCMS distribution and validate the upgrade in a staging environment before production rollout. Additional context is available in the VulDB CTI entry #288969.
Workarounds
- If immediate patching is not feasible, deploy WAF rules that block or sanitize tag parameter values containing PHP syntax, function names, or encoded equivalents.
- Restrict access to PbootCMS administrative and authenticated endpoints by source IP where the deployment model permits.
- Run the PHP process under a least-privilege account to limit the impact of successful code execution.
# Example WAF-style filter to block suspicious tag parameter content
# Reject requests where the 'tag' query parameter contains PHP code markers
location / {
if ($arg_tag ~* "(<\?php|eval\(|system\(|exec\(|passthru\(|`)") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
