A critical vulnerability in the popular PHP-based Craft CMS has been discovered, allowing unauthenticated attackers to execute remote code on affected systems.
The security flaw, identified as CVE-2024-56145, affects default configurations of PHP and could potentially impact over 150,000 websites worldwide.
The vulnerability stems from an unexpected behavior in PHP’s register_argc_argv configuration setting. When enabled, this setting allows the population of $_SERVER[‘argv’] from query string parameters, which can be exploited by malicious actors.
Craft CMS’s bootstrap process checks for command-line options using the App::cliOption function. However, this function does not verify whether the application is actually running in a command-line environment.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
As a result, attackers can manipulate certain configuration paths by passing query string parameters.
Craft CMS Vulnerability
Researchers at Assetnote found that by manipulating the –templatesPath parameter, they could force Craft CMS to load template files from an attacker-controlled FTP server. This technique bypasses security checks that typically prevent remote file inclusion.
The exploit chain involves the following steps:
- Setting up an FTP server with anonymous access
- Creating a malicious Twig template file
- Exploiting Craft CMS’s template rendering process
- Bypassing sandboxing attempts using clever filter manipulation
The vulnerability affects Craft CMS versions prior to 5.5.2 and 4.13.2. Websites running these older versions are at risk of complete system compromise through remote code execution.
The Craft CMS team responded swiftly to the reported vulnerability, releasing patches within 24 hours of notification. To protect against this exploit, site administrators should take the following actions:
- Upgrade Craft CMS to version 5.5.2+ or 4.13.2+
- If upgrading is not immediately possible, set register_argc_argv=Off in the php.ini configuration file
This vulnerability highlights the potential security risks associated with PHP’s register_argc_argv feature. Developers are advised to exercise caution when using $_SERVER[‘argv’] in web applications and to explicitly check for CLI execution using PHP_SAPI when necessary.
The discovery of this vulnerability in Craft CMS serves as a reminder of the importance of regular security audits and prompt patching. It also underscores the need for developers to be aware of potentially dangerous PHP configurations and to implement proper security checks in their code.
As the digital landscape continues to evolve, staying vigilant and up-to-date with the latest security practices remains crucial for maintaining the integrity and safety of web applications.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free