CraftCMS file:// Validation Bypass Leading to File Overwrite and Potential RCE

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Name: Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution - Severity: High - Publisher: angrybrad - Published: 4 days ago - Package: php craftcms/cms (Composer) - Affected Versions: >= 5.0.0-RC1, = 4.0.0-RC1, <= 4.12.4.1 - Fixed Versions: 5.4.6, 4.12.5 2. Vulnerability Details: - Description: A vulnerability in CraftCMS allows attackers to bypass local file system validation by exploiting a double scheme (e.g., ). This enables attackers to specify sensitive folders as filesystems, leading to file overwrites, unauthorized access to sensitive files, and in some cases, remote code execution (RCE) via server-side template injection (SSTI) payloads. - Fix: The fix addresses an issue in where only the left-side was stripped. By adding two after the first (e.g., ), attackers could bypass this sanitization. 3. PoC: - Steps: 1. Log in with an admin account and navigate to Settings → Assets, then create a new volume. 2. In the Asset Filesystem section, create a new filesystem and set the base path to . 3. Access the Assets sidebar navigation, then upload a file to this volume. 4. The file is successfully uploaded and stored in the specified sensitive folder (e.g., ). 5. SSTI payloads can be uploaded to the folder. Although full code execution was not achieved during testing, some payloads succeeded, leading to sensitive information disclosure and other potential impacts. 4. Impact: - Attacker: By exploiting this vulnerability, attackers can designate sensitive folders as the base path for a filesystem. For example, if the path is specified (e.g., ), attackers can upload SSTI payloads. Although CraftCMS includes strict SSTI input validation, RCE is still possible if attackers can craft valid payloads, as shown in GHSA-44wr-rmwq-3phw. - Additional Impact: Attackers can also upload tampered files to overwrite critical web application files. By enabling public URLs, attackers can retrieve sensitive files (e.g., configuration files from the local filesystem). 5. Fix: - Fixed Versions: 5.4.6, 4.12.5 - Fix Description: The fix addresses the issue in where only the left-side was removed. By adding two after the first (e.g., ), attackers could bypass the sanitization. 6. CVSS Score: - Score: 8.5 / 10 - Score Factors: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: Required - Impact: Changed - Confidentiality: High - Integrity: High - Availability: High 7. CWE ID: No CWEs 8. Reporter: senzee1984 This information provides a detailed description of the vulnerability, its impact, remediation steps, and assessment results, helping to understand the severity and how to remediate it.

Goal Reached Thanks to every supporter — we hit 100%!

CraftCMS file:// Validation Bypass Leading to File Overwrite and Potential RCE

More from this source