New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Critical vulnerability: Server-Side Template Injection/ RCE Attack #2677
Comments
|
@buxu Thanks for finding this issue and filing a ticket. Attack SurfaceAuthenticated and authorized developer can add code that runs on the preview server. This isn't an attack on the delivery system, but an attack by a trusted agent against the development tool/system they're using. It's important to note that Crafter CMS is an author-by-the-few, consume-by-the-many system. This means a trusted developer that's authorized to develop code on this system (one of the trusted few), is intentionally developing code to exploit the preview subsystem and if their code is allowed (approved) for final go-live, it can exploit the delivery tier. See the first arch diagram: https://docs.craftercms.org/en/3.0/developers/architecture.html Premise
Risk
Mitigation
Code changes
|
|
Yes, using TemplateClassResolver.SAFER_RESOLVER can prevent some classes like freemarker.template.utility.ObjectConstructor, freemarker.template.utility.Execute and freemarker.template.utility.JythonRuntime which can be used to perform RCE attack. |
|
Freemarker fix has been implemented, as well as a Java Tomcat policy. A full Groovy Sandbox will be implemented in a later version. |
|
Was the 3.0.18E AMI updated with the Freemarker fix? If so, as of what date? December 26th? I don’t currently see a way to view AMI update history, so I’m just trying to determine whether or not my current instances are vulnerable (without manually attempting to reproduce myself). Thanks. |
|
Are you able to switch to 3.0.20 AMI? If not, you can patch/upgrade your AMI's binaries, see the built-in upgrade script. |
Describe the bug
Attackers may execute OS commands by Creating/Editing a template file (.ftl filetype) which use FreeMarker lib to render webpage.
To Reproduce
Steps to reproduce the behavior:
Edit a template file

Add code as shown below and OK

View web page, Window OS command was executed (Testing on windows)

Specs
Version
3.0.18
OS
Windows
Browser
Firefox
The text was updated successfully, but these errors were encountered: