Statamic CMS

Sam Schroder found a local file inclusion (write only) vulnerability inside of the upload functionality of Statamic CMS. This affects front end components like forms with `assets` fields. Files with specifically crafted filenames may allow an attacker to place files in a different location than what was intended or overwrite the contents of existing files inside of the container.

25th November 2024

Introduction

During an engagement, Sam Schroder discovered a vulnerability in Statamic CMS, an opensource web application Content Managent System (CMS) that runs on PHP. Due to a lack of sanitisation in filenames, unathenticated users can upload and overwrite files outside of the configured directory. This could lead to a complete loss of integrity for the victim.

Info

Statamic CMS (versions < 5.17.0) is affected by a path traversal through the file upload feature because of unsufficient filename sanitisation provided through user input. Specifically, this bug affects the assets field of the front-end forms and allows an attacker to craft special filenames to bypass the directories restrictions imposed by it and upload files outside the destination. This may lead an attacker to be able to overwrite key files or place unauthorised files in the system areas of the application filesystem or within the containerised environment.

This is a medium-risk vulnerability because it allows full compromise of the integrity of the container but cannot access the filepath outside of this container. This would serve as an attack that an attacker can mount when gaining access to the exposed upload functionality, changing any configuration file inside the container, or uploading malicious scripts depending on the allow list of extensions allowed. The threat increases when file upload paths are shared among several key components of the system.

The core issue here is input validation and sanitisation while uploading. Statamic CMS does not enforce the use of commonly abused characters. So, it’s vulnerable to several path traversal attacks that may attempt to access files outside the restriction using directory traversal sequences like ../. This vulnerability is also exacerbated because the application relies on the filename in order to know where it should store it.

First, this vulnerability requires an attacker to gain access to a form or upload endpoint that eventually processes user supplied files. Once this has been achieved, the attacker will be in a position to construct a filename devised to traverse directories and deposit the file into a location of his or her choice. Functionality of this upload system is intended to be used by anyone, including unauthenticated users.

Proof of Concept

The PoC can be found on youtube here: https://youtu.be/pK-KloyCIzw

How To Fix

Upgrade to Statamic CMS 5.17.0 or greater.

Acknowledgements

I would like to thank everyone at Bastion Security for their support as I was welcomed in for my first cyber security job, and for helping with all my questions, I am proud to be one of you!

Vulnerability Disclosure Timeline

18/11/2024 - Issue Disclosed
19/11/2024 - Vendor Responded
19/11/2024 - CVE Assigned (CVE-2024-52600)
25/11/2024 - Bastion Publishes Advisory

Latest event

WAO Summit 2024

29 October to 2 November 2024

Wanaka and Queenstown.

Attend WAO Summit 2024 and bring deeper meaning and purpose to business and everyday life. Its workshops and masterclass sessions will set you on a pathway to action, helping you lead with purpose, and be part of the transformation towards a thriving future.

See all events

Take the next step and talk to us today.

Let's get started