CVE-2022-25578

Vulnerability

taocms v3.0.2, an open-source content management system, suffers from a code injection vulnerability in the file management interface. An attacker with administrative access can edit the .htaccess file arbitrarily via the web-based file manager. By appending a directive such as AddType application/x-httpd-php .php3, the attacker causes the server to interpret files with the .php3 extension as PHP scripts. The affected version is confirmed as v3.0.2; earlier versions may also be impacted but are not explicitly mentioned in available references [2].

Exploitation

An attacker requires valid administrator credentials to log into the taocms backend. From there, they navigate to the file management section, locate or create the .htaccess file, and insert the AddType rule via the edit functionality. A new file with a .php3 extension containing arbitrary PHP code is then uploaded to the server. Accessing this file through a web browser triggers execution of the injected code [2].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server, leading to full remote code execution (RCE) in the context of the web server user. This can result in complete compromise of the web application and underlying server, including data theft, malware deployment, or further lateral movement within the network.

Mitigation

No official fix has been published as of the disclosure date (2022-03-18). The official website (taocms.com) appears to be a domain sales landing page with no security update [1]. Administrators should restrict access to the admin panel, apply strict file permission controls on .htaccess, and consider migrating to a maintained CMS if no patch is released. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.