14 DAY TRIAL // Older versions of open source content management system (CMS) Concrete5 are vulnerable to multiple security flaws, one of them being an issue that could allow an attacker to execute arbitrary PHP code remotely.
Security researcher Egidio Romano found the weakness in the code of version 5.7.3.1 of the CMS and alleges that it may be present in earlier releases, too.
Improper code sanitization lets malicious command slip in
He discovered that a malicious command that would be executed by the web server can be sent via the “register_notification_email” POST parameter due to improper sanitization of user input before storing into a configuration setting.
According to Romano, the sanitizeString() function fails to check if the value passed by the user is a valid email address.
“This value is used as a sender email address to send out a notification email when a new user is being registered, and this is done using the PHP mail() function, specifically passing such value to its fifth parameter,” he explains in a blog post on Thursday.
He says that it is possible for an attacker to modify the command line so that the sendmail program stores the email traffic to an arbitrary file.
Exploiting the vulnerability can be done by authenticated admins, so some social engineering is required to lure a user with the necessary privileges on the website to click on a malicious link to execute a cross-site request forgery (CSRF) attack.
Admins should install the latest Concrete5 release
The researcher found two more vulnerabilities in the CMS, one of them being an SQL injection that affects versions 5.7.4 and earlier of the product. In this case, exploitation requires an account with rights to edit page permissions.
Both these issues, along with a set of multiple XSS vulnerabilities, have been patched by developers of Concrete5, which is currently at build 5.7.4.2. However, administrators often delay applying the newest update, sometimes missing even major revisions, leaving the website exposed.
Although the issues are not easily exploitable, a motivated attacker would invest the effort in preparing a successful attack.
Among popular websites relying on this CMS there is the one for Cambridge University Press (cambridge.org), for Freshdesk, a cloud-based customer support platform and the Philippine Airlines site.