A significant security vulnerability in Craft CMS, one of the most widely used PHP-based content management systems, has been uncovered, allowing unauthenticated remote code execution (RCE) under default configurations.
The vulnerability, identified as CVE-2024-56145, was disclosed by security researchers and has already been addressed by the Craft CMS team with a patch released within 24 hours.
PHP, a language that has undergone substantial improvements over the years, is no stranger to security challenges. While older vulnerabilities such as register_globals and magic_quotes_gpc have been eradicated, certain quirks in its design can still lead to critical issues.
The recently exposed flaw in Craft CMS highlights how seemingly innocuous PHP behaviors can create exploitable conditions.
At the heart of this vulnerability is the register_argc_argv configuration setting in PHP.
This setting determines whether command-line arguments ($_SERVER['argc'] and $_SERVER['argv']) are populated when a script is run.
By default, register_argc_argv is enabled in PHP, which can lead to unexpected behavior when query strings are passed to web-hosted PHP scripts. In Craft CMS’s official Docker image, this setting is turned on, creating an exploitable scenario.
How the Vulnerability Works
The flaw lies in how Craft CMS processes certain command-line options during its bootstrap sequence. Specifically, developers discovered that query strings could be used to manipulate paths for critical files like configuration files or templates.
By exploiting this behavior, attackers could gain control over file paths and potentially execute arbitrary code.
Researchers demonstrated that by using an ftp:// wrapper to host malicious templates on an FTP server, they could bypass security checks and inject executable code into a vulnerable Craft CMS instance.
Further analysis by Adam Kues revealed that while Craft CMS attempts to sandbox its template engine (Twig) to prevent malicious code execution, clever workarounds—such as using the sort filter with call_user_func—allowed attackers to bypass these defenses and achieve RCE.
Impact and Mitigation
Craft CMS is used by over 150,000 websites globally, including large enterprises. The vulnerability posed a significant risk to organizations using default configurations of the platform.
However, the Craft CMS team acted swiftly to address the issue, releasing patched versions 5.5.2+ and 4.13.2+. Users are strongly advised to upgrade their installations immediately.
For those unable to update, disabling the register_argc_argv setting in their php.ini file provides an effective workaround to mitigate this specific vulnerability.
This incident underscores the importance of understanding PHP’s nuanced behaviors when developing secure applications.
Developers are encouraged to explicitly check whether code is running in a command-line interface (CLI) environment using robust methods like verifying the PHP_SAPI variable rather than relying on potentially ambiguous indicators like $_SERVER['argv'].
The rapid response by both researchers and the Craft CMS team highlights the value of responsible disclosure and proactive patching in minimizing the impact of security vulnerabilities.
While PHP has matured significantly as a language, its legacy behaviors continue to present challenges for developers and security professionals alike.
The CVE-2024-56145 vulnerability serves as a reminder of how small misconfigurations or overlooked features can lead to severe consequences if exploited by attackers.
Researchers also published an CVE-2024-56145 exploitation tool allowing attackers to achieve Remote Code Execution (RCE) via specially crafted payloads.
Organizations must remain vigilant by keeping their software up-to-date and adopting secure coding practices to protect their systems from emerging threats.
For More Interesting Daily Cybersecurity Stories, Follow us on LinkedIn, X and Google News