Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12cXhmLXI5cGgtY2M5Y84AAzbH

Craft CMS vulnerable to Remote Code Execution via unrestricted file extension

Summary

Unrestricted file extension lead to a potential Remote Code Execution
(Authenticated, ALLOW_ADMIN_CHANGES=true)

Details

Vulnerability Cause :

If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates (even if they are not extensions set in defaultTemplateExtensions = ['html', 'twig'])

    /**
     * Searches for a template files, and returns the first match if there is one.
     *
     * @param string $basePath The base path to be looking in.
     * @param string $name The name of the template to be looking for.
     * @param bool $publicOnly Whether to only look for public templates (template paths that don’t start with the private template trigger).
     * @return string|null The matching file path, or `null`.
     */
    private function _resolveTemplate(string $basePath, string $name, bool $publicOnly): ?string
    {
        // Normalize the path and name
        $basePath = FileHelper::normalizePath($basePath);
        $name = trim(FileHelper::normalizePath($name), '/');

        // $name could be an empty string (e.g. to load the homepage template)
        if ($name !== '') {
            if ($publicOnly && preg_match(sprintf('/(^|\/)%s/', preg_quote($this->_privateTemplateTrigger, '/')), $name)) {
                return null;
            }

            // Maybe $name is already the full file path
            $testPath = $basePath . DIRECTORY_SEPARATOR . $name;

            if (is_file($testPath)) {
                return $testPath;
            }

            foreach ($this->_defaultTemplateExtensions as $extension) {
                $testPath = $basePath . DIRECTORY_SEPARATOR . $name . '.' . $extension;

                if (is_file($testPath)) {
                    return $testPath;
                }
            }
        }

        foreach ($this->_indexTemplateFilenames as $filename) {
            foreach ($this->_defaultTemplateExtensions as $extension) {
                $testPath = $basePath . ($name !== '' ? DIRECTORY_SEPARATOR . $name : '') . DIRECTORY_SEPARATOR . $filename . '.' . $extension;

                if (is_file($testPath)) {
                    return $testPath;
                }
            }
        }

        return null;
    }

When attacker with admin privileges on the DEV or Misconfigured STG, PROD, they can exploit this vulnerability to remote code execution (ALLOW_ADMIN_CHANGES=true)

PoC

Step 1) Create a new filesystem. Base Path: /var/www/html/templates
1

Step 2) Create a new asset volume. Asset Filesystem: template
2

Step 3) Upload poc file( .txt , .js , .json , etc ) with twig template rce payload

{{'<pre>'}}
{{1337*1337}}
{{['cat /etc/passwd']|map('passthru')|join}}
{{['id;pwd;ls -altr /']|map('passthru')|join}}

7
5

Step 4) Create a new global set with template layout. The template filename is poc.js
8

Step 5) When access global menu or /admin/global/test, poc.js is rendered as a template file and RCE confirmed
9

Step 6) RCE can be confirmed on other menus(Entries, Categories) where the template file is loaded.
10
11

Poc Environment) ALLOW_ADMIN_CHANGES=true, defaultTemplateExtensions=['html','twig']
0
13
14

Impact

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

Additionally, there are 371 domains using CraftCMS exposed on Shodan, and among them, 33 servers have "stage" or "dev" included in their hostnames.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)

2023-03-31 10 29 53

Remediation

Recommend taking measures by referring to https://github.com/craftcms/cms-ghsa-9f84-5wpf-3vcf/pull/1

            // Maybe $name is already the full file path
            $testPath = $basePath . DIRECTORY_SEPARATOR . $name;

            if (is_file($testPath)) {
                // Remedation: Verify template file extension, before return
                $fileExt = pathinfo($testPath, PATHINFO_EXTENSION);
                $isDisallowed = false;

                if (isset($fileExt)) {
                    $isDisallowed = !in_array($fileExt, $this->_defaultTemplateExtensions);

                    if($isDisallowed) {
                        return null;
                    } else {
                        return $testPath;
                    }
                }
            }

remediation

Permalink: https://github.com/advisories/GHSA-vqxf-r9ph-cc9c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cXhmLXI5cGgtY2M5Y84AAzbH
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 5 months ago


CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-vqxf-r9ph-cc9c, CVE-2023-32679
References: Repository: https://github.com/craftcms/cms

Affected Packages

packagist:craftcms/cms
Dependent packages: 2,064
Dependent repositories: 2,755
Downloads: 2,828,824 total
Affected Version Ranges: >= 4.0.0, < 4.4.6
Fixed in: 4.4.6
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5
All unaffected versions: 1.2.2333, 1.2.2335, 1.2.2336, 1.2.2337, 1.2.2339, 1.2.2358, 1.2.2363, 1.2.2367, 1.2.2371, 1.2.2375, 1.2.2387, 1.2.2392, 1.2.2396, 1.2.2399, 1.3.2409, 1.3.2410, 1.3.2415, 1.3.2416, 1.3.2418, 1.3.2419, 1.3.2420, 1.3.2422, 1.3.2456, 1.3.2459, 1.3.2461, 1.3.2462, 1.3.2465, 1.3.2473, 1.3.2485, 1.3.2486, 1.3.2487, 1.3.2494, 1.3.2496, 1.3.2507, 2.0.2524, 2.0.2525, 2.0.2527, 2.0.2528, 2.0.2532, 2.0.2533, 2.0.2535, 2.0.2536, 2.0.2537, 2.0.2538, 2.0.2539, 2.0.2540, 2.0.2541, 2.0.2542, 2.0.2543, 2.0.2548, 2.0.2549, 2.0.2551, 2.1.2554, 2.1.2555, 2.1.2556, 2.1.2557, 2.1.2559, 2.1.2561, 2.1.2562, 2.1.2563, 2.1.2564, 2.1.2566, 2.1.2568, 2.1.2569, 2.1.2570, 2.2.2579, 2.2.2581, 2.2.2582, 2.2.2586, 2.2.2587, 2.2.2588, 2.2.2589, 2.2.2590, 2.2.2591, 2.2.2592, 2.2.2593, 2.2.2596, 2.2.2598, 2.2.2601, 2.2.2604, 2.2.2607, 2.3.2615, 2.3.2616, 2.3.2617, 2.3.2618, 2.3.2620, 2.3.2621, 2.3.2623, 2.3.2624, 2.3.2625, 2.3.2626, 2.3.2627, 2.3.2629, 2.3.2632, 2.3.2635, 2.3.2636, 2.3.2639, 2.3.2640, 2.3.2641, 2.3.2642, 2.3.2643, 2.3.2644, 2.4.2664, 2.4.2666, 2.4.2667, 2.4.2668, 2.4.2669, 2.4.2670, 2.4.2675, 2.4.2677, 2.4.2679, 2.4.2682, 2.4.2684, 2.4.2688, 2.4.2691, 2.4.2692, 2.4.2693, 2.4.2695, 2.4.2696, 2.4.2697, 2.4.2698, 2.4.2699, 2.4.2700, 2.4.2701, 2.4.2702, 2.4.2723, 2.4.2725, 2.4.2726, 2.5.2750, 2.5.2752, 2.5.2753, 2.5.2754, 2.5.2755, 2.5.2757, 2.5.2759, 2.5.2760, 2.5.2761, 2.5.2762, 2.5.2763, 2.5.2765, 2.5.2767, 2.6.2771, 2.6.2773, 2.6.2774, 2.6.2776, 2.6.2778, 2.6.2779, 2.6.2780, 2.6.2781, 2.6.2783, 2.6.2784, 2.6.2785, 2.6.2788, 2.6.2789, 2.6.2791, 2.6.2793, 2.6.2794, 2.6.2795, 2.6.2796, 2.6.2797, 2.6.2798, 2.6.2804, 2.6.2903, 2.6.2911, 2.6.2916, 2.6.2922, 2.6.2923, 2.6.2929, 2.6.2930, 2.6.2931, 2.6.2940, 2.6.2944, 2.6.2945, 2.6.2949, 2.6.2950, 2.6.2951, 2.6.2952, 2.6.2953, 2.6.2954, 2.6.2955, 2.6.2956, 2.6.2957, 2.6.2958, 2.6.2959, 2.6.2960, 2.6.2961, 2.6.2962, 2.6.2963, 2.6.2964, 2.6.2965, 2.6.2966, 2.6.2967, 2.6.2968, 2.6.2969, 2.6.2970, 2.6.2971, 2.6.2972, 2.6.2973, 2.6.2974, 2.6.2975, 2.6.2976, 2.6.2977, 2.6.2978, 2.6.2979, 2.6.2980, 2.6.2981, 2.6.2982, 2.6.2983, 2.6.2984, 2.6.2985, 2.6.2986, 2.6.2987, 2.6.2988, 2.6.2989, 2.6.2990, 2.6.2991, 2.6.2992, 2.6.2993, 2.6.2994, 2.6.2995, 2.6.2996, 2.6.2997, 2.6.2998, 2.6.2999, 2.6.3000, 2.6.3001, 2.6.3002, 2.6.3003, 2.6.3004, 2.6.3005, 2.6.3006, 2.6.3007, 2.6.3008, 2.6.3009, 2.6.3010, 2.6.3011, 2.6.3012, 2.6.3013, 2.6.3014, 2.6.3015, 2.6.3016, 2.6.3017, 2.6.3018, 2.6.3019, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.8.0, 2.9.0, 2.9.1, 2.9.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.23, 3.0.24, 3.0.25, 3.0.26, 3.0.27, 3.0.28, 3.0.29, 3.0.30, 3.0.31, 3.0.32, 3.0.33, 3.0.34, 3.0.35, 3.0.36, 3.0.37, 3.0.38, 3.0.39, 3.0.40, 3.0.41, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29, 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.34, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.3.14, 3.3.15, 3.3.16, 3.3.17, 3.3.18, 3.3.19, 3.3.20, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.4.11, 3.4.12, 3.4.13, 3.4.14, 3.4.15, 3.4.16, 3.4.17, 3.4.18, 3.4.19, 3.4.20, 3.4.21, 3.4.22, 3.4.23, 3.4.24, 3.4.25, 3.4.26, 3.4.27, 3.4.28, 3.4.29, 3.4.30, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.5.11, 3.5.12, 3.5.13, 3.5.14, 3.5.15, 3.5.16, 3.5.17, 3.5.18, 3.5.19, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.6.10, 3.6.11, 3.6.12, 3.6.13, 3.6.14, 3.6.15, 3.6.16, 3.6.17, 3.6.18, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.7.8, 3.7.9, 3.7.10, 3.7.11, 3.7.12, 3.7.13, 3.7.14, 3.7.15, 3.7.16, 3.7.17, 3.7.18, 3.7.19, 3.7.20, 3.7.21, 3.7.22, 3.7.23, 3.7.24, 3.7.25, 3.7.26, 3.7.27, 3.7.28, 3.7.29, 3.7.30, 3.7.31, 3.7.32, 3.7.33, 3.7.34, 3.7.35, 3.7.36, 3.7.37, 3.7.38, 3.7.39, 3.7.40, 3.7.41, 3.7.42, 3.7.43, 3.7.44, 3.7.45, 3.7.46, 3.7.47, 3.7.48, 3.7.49, 3.7.50, 3.7.51, 3.7.52, 3.7.53, 3.7.54, 3.7.55, 3.7.56, 3.7.57, 3.7.58, 3.7.59, 3.7.60, 3.7.61, 3.7.62, 3.7.63, 3.7.64, 3.7.65, 3.7.66, 3.7.67, 3.7.68, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.8.10, 3.8.11, 3.8.12, 3.8.13, 3.8.14, 3.8.15, 3.8.16, 3.8.17, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.10, 3.9.11, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 4.4.13, 4.4.14, 4.4.15, 4.4.16, 4.4.17, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.5.9, 4.5.10, 4.5.11, 4.5.12, 4.5.13, 4.5.14, 4.5.15, 4.6.0, 4.6.1, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.8.0, 4.8.1, 4.8.2, 4.8.3