InfoSecBulletin Cybersecurity for mankind
A major security flaw in Craft CMS, a popular PHP content management system, has been found, enabling unauthenticated remote code execution (RCE) with default settings.
The vulnerability CVE-2024-56145 was reported by security researchers and quickly patched by the Craft CMS team within 24 hours.
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
Builder claims Rs 150 cr for data loss; AWS faces FIR In Bengaluru
PHP has improved over the years but still faces security challenges. While older vulnerabilities like register_globals and magic_quotes_gpc are resolved, some design quirks can cause critical issues.
The recent flaw in Craft CMS shows how ordinary PHP behaviors can lead to security vulnerabilities.
At the heart of this vulnerability is the register_argc_argv configuration setting in PHP. This setting controls if command-line arguments ($_SERVER[‘argc’] and $_SERVER[‘argv’]) are available when a script runs.
In PHP, the register_argc_argv option is enabled by default, which can cause issues when query strings are used in web-hosted scripts. The official Craft CMS Docker image has this setting enabled, making it potentially vulnerable.
How the Vulnerability Works:
The issue with Craft CMS is in its handling of command-line options during startup. Developers found that query strings can manipulate paths for important files, such as configuration files and templates.
Attackers could exploit this behavior to control file paths and execute arbitrary code.
Researchers showed that using an ftp:// link to host malicious templates on an FTP server allowed them to bypass security checks and inject harmful code into a vulnerable Craft CMS.
Adam Kues found that Craft CMS’s attempt to secure its template engine (Twig) wasn’t foolproof. Attackers could use tricks like the sort filter combined with call_user_func to bypass these security measures and execute remote code.
Impact and Mitigation:
Craft CMS is used by over 150,000 websites worldwide, including major enterprises. A vulnerability risked organizations using the platform’s default settings.
The Craft CMS team quickly released patched versions 5.5.2+ and 4.13.2+. Users should upgrade their installations right away. Full report here.
