Headline
CVE-2022-33941: PowerCMS XMLRPC API vulnerable to command injection
PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability. Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products/versions are as follows: PowerCMS 6.021 and earlier (PowerCMS 6 Series), PowerCMS 5.21 and earlier (PowerCMS 5 Series), and PowerCMS 4.51 and earlier (PowerCMS 4 Series). Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability.
Published:2022/09/02 Last Updated:2022/09/02
Overview
PowerCMS XMLRPC API contains a command injection vulnerability.
Products Affected
- PowerCMS 6.021 and earlier (PowerCMS 6 Series)
- PowerCMS 5.21 and earlier (PowerCMS 5 Series)
- PowerCMS 4.51 and earlier (PowerCMS 4 Series)
The developer states that PowerCMS 3 Series and earlier, which are unsupported (End-of-Life, EOL) versions, are affected too.
Description
PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74).
Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.
According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.
Impact
An arbitrary Perl script may be executed by a remote attacker. As a result, an arbitrary OS command may be executed.
Solution
When XMLRPC API is NOT required: Disable XMLRPC API
- If XMLRPC API is used as CGI/FastCGI
- Delete mt-xmlrpc.cgi or remove execute permission of mt-xmlrpc.cgi
- According to the developer, when PowerCMS environment variable XMLRPCScript is configured, the file may be renamed. In that case, implement this countermeasure to that renamed file
- Delete mt-xmlrpc.cgi or remove execute permission of mt-xmlrpc.cgi
- If XMLRPC API is used as PSGI
- Configure environment variable RestrictedPSGIApp to prohibit XMLRPC application: RestrictedPSGIApp xmlrpc
When XMLRPC API should be kept available: Apply the patch
Apply the patch according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector(AV)
Physical §
Local (L)
Adjacent (A)
Network (N)
Attack Complexity(AC)
High (H)
Low (L)
Privileges Required(PR)
High (H)
Low (L)
None (N)
User Interaction(UI)
Required ®
None (N)
Scope(S)
Unchanged (U)
Changed ©
Confidentiality Impact©
None (N)
Low (L)
High (H)
Integrity Impact(I)
None (N)
Low (L)
High (H)
Availability Impact(A)
None (N)
Low (L)
High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector(AV)
Local (L)
Adjacent Network (A)
Network (N)
Access Complexity(AC)
High (H)
Medium (M)
Low (L)
Authentication(Au)
Multiple (M)
Single (S)
None (N)
Confidentiality Impact©
None (N)
Partial §
Complete ©
Integrity Impact(I)
None (N)
Partial §
Complete ©
Availability Impact(A)
None (N)
Partial §
Complete ©
Credit
Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
Other Information