Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-47129 PoC — Statamic CMS remote code execution via front-end form uploads

Source
https://github.com/Cyber-Wo0dy/CVE-2023-47129
Associated Vulnerability
Title:Statamic CMS remote code execution via front-end form uploads (CVE-2023-47129)
Description:Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.
Description
Statamic CMS versions <4.33.0 vulnerable to "Remote Code Execution"
Readme
# CVE-2023-47129 - Statamic CMS versions <4.33.0 - Remote Code Execution

## Description
In versions <4.33.0 of Statamic CMS where the front-end has a form with active file upload, it is possible to send PHP files created to look like images, regardless of the mime validation rules. This vulnerability allows an attacker to upload arbitrary and potentially dangerous files and even execute server-side scripts.

## To Fix
Update Statamic CMS to version 4.33.0.

## Steps to Reproduce:

**1)** In a Statamic CMS installation, create a form and its respective page.

**2)** In the form blueprint, include an `Asset Field` and in the _“Validation”_ option select, for example, `mimetypes:image/jpeg`, `mimes:jpg`, `image`.

**3)** Create a polyglot jpg file with some php script, example: 

```exiftool -Comment="<?php phpinfo(); ?>" image.jpg```

**4)** Rename this file to `image.php`.

**5)** On the form page, upload the created `image.php` file.

**6)** Now, to run this file just access `https://yoursite.com/assets/image.php`

_Note: replace `https://yoursite.com` with the address of your test installation._

### Reference
* [GHSA-72hg-5wr5-rmfc](https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc)
File Snapshot

 [4.0K]  /data/pocs/6db9a8c33ef7cb0a950e10fa393186d4bc1a9bc3
└── [1.2K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →