GHSA-44wr-rmwq-3phw

Опубликовано: 21 авг. 2023

Источник: github

Github: Прошло ревью

CVSS3: 7.2

Описание

Craft CMS vulnerable to Remote Code Execution via validatePath bypass

Summary

Bypassing the validatePath function can lead to potential Remote Code Execution (Post-authentication, ALLOW_ADMIN_CHANGES=true)

Details

In bootstrap.php, the SystemPaths path is set as below.

// Set the vendor path. By default assume that it's 4 levels up from here $vendorPath = $findConfigPath('--vendorPath', 'CRAFT_VENDOR_PATH') ?? dirname(__DIR__, 3); // Set the "project root" path that contains config/, storage/, etc. By default assume that it's up a level from vendor/. $rootPath = $findConfigPath('--basePath', 'CRAFT_BASE_PATH') ?? dirname($vendorPath); // By default the remaining directories will be in the base directory $dotenvPath = $findConfigPath('--dotenvPath', 'CRAFT_DOTENV_PATH') ?? "$rootPath/.env"; $configPath = $findConfigPath('--configPath', 'CRAFT_CONFIG_PATH') ?? "$rootPath/config"; $contentMigrationsPath = $findConfigPath('--contentMigrationsPath', 'CRAFT_CONTENT_MIGRATIONS_PATH') ?? "$rootPath/migrations"; $storagePath = $findConfigPath('--storagePath', 'CRAFT_STORAGE_PATH') ?? "$rootPath/storage"; $templatesPath = $findConfigPath('--templatesPath', 'CRAFT_TEMPLATES_PATH') ?? "$rootPath/templates"; $translationsPath = $findConfigPath('--translationsPath', 'CRAFT_TRANSLATIONS_PATH') ?? "$rootPath/translations"; $testsPath = $findConfigPath('--testsPath', 'CRAFT_TESTS_PATH') ?? "$rootPath/tests";

Because paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir()

/** * @param string $attribute * @param array|null $params * @param InlineValidator $validator * @return void * @since 4.4.6 */ public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void { // Make sure it’s not within any of the system directories $path = FileHelper::absolutePath($this->getRootPath(), '/'); $systemDirs = Craft::$app->getPath()->getSystemPaths(); foreach ($systemDirs as $dir) { $dir = FileHelper::absolutePath($dir, '/'); if (str_starts_with("$path/", "$dir/")) { $validator->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.')); break; } } }

ref. https://www.php.net/manual/en/wrappers.file.php

PoC

Create a new filesystem. Base Path: file:///var/www/html/templates

Create a new asset volume. Asset Filesystem: local_bypass

Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates

Create a new route. URI: * , Template: poc.ttml

Confirm RCE on arbitrary path ( /* )

PoC Env

0628 env

Impact

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)

Ссылки

Пакеты

Наименование

craftcms/cms

composer

Затронутые версииВерсия исправления

>= 4.0.0-RC1, <= 4.4.14

4.4.15

Наименование

craftcms/cms

composer

Затронутые версииВерсия исправления

>= 3.0.0, <= 3.8.14

3.8.15

EPSS

Процентиль: 52%

0.0029

Низкий

7.2 High

CVSS3

CVE ID

CVE-2023-40035

Дефекты

CWE-74

Связанные уязвимости

CVE-2023-40035

CVSS3: 7.2

nvd

больше 2 лет назад

Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15.

EPSS

Процентиль: 52%

0.0029

Низкий

7.2 High

CVSS3

CVE ID

CVE-2023-40035

Дефекты

CWE-74