Server-side vulnerabilities in Concrete CMS put thousands of websites under threat

    Several security vulnerabilities in a prominent open up resource web content management system (CMS) could permit a harmful assailant to gain complete control of the hidden internet web server.

    Concrete CMS

    The problems were found in Concrete CMS by scientists from Fortbridge, that detailed how two race problem susceptabilities combined with the unconfident use the uniqid() function could permit an assailant with reduced benefits to accomplish remote code implementation (RCE).

    Adrian Tiron from Fortbridge informed The Everyday Swig that the uniqid() function wasn’t cryptographically secure. Rather, it returned a pseudo-random number, “enabling us to guess the name of a pseudo-random directory site and after that submit an internet covering on the web server”.

    Since this year, there are greater than 62,000 live website that are built with Concrete CMS, the scientists said.

    Various Flaws

    The first vulnerability is a race problem in the file upload function that allows a Concrete CMS user to submit files from a remote web server.

    Files are downloaded and install to ‘$temporaryDirectory’ – a course called Volatile Directory which produces a short-term directory site, that obtains erased at completion of each request.

    Scientists said that the name of the directory site produced will always be arbitrary, therefore in purchase to guess the name of it, they had to brute-force this directory site to find where it was originating from.

    A solitary brute-force request takes 100ms to perform, meaning that scientists needed time to perform their attack.

    As they looked to prevent the 60-second cURL timeout, they relied on the uniqid() function, which returned the moment and day to the microsecond.

    The blog site reads: “[W]e will add a sleep() for 30-60 secs in the test.php file which obtains downloaded and install from the remote web server.

    “This will basically force the CMS to always keep the $temporaryDir directory site for 30-60 secs on the local filesystem before deleting it. Enough time for us to brute-force the directory site name with Burp Turbo Trespasser.”

    Once they had the name of the directory site, scientists had the ability to request test.php, which composes a long-term covering in the moms and dad directory site.

    By production test.php perform for ~30 secs to guess the directory site name, a 2nd race problem was produced, meaning that test.php will be written on the CMS filesystem.

    This after that enabled them to accomplish RCE on the web server.

    Patch Now

    Talking to The Everyday Swig, Tiron recommended Concrete CMS users to update to variations 8.5.7 and 9.0.1, which are currently available.

    He included: “The disclosure process was very smooth, and we didn’t encounter any problems, the Concrete CMS group was very friendly and cooperative.”

    Recent Articles


    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox