Craft CMS Arbitrary File Write Vulnerability Leading to Remote Code Execution

A vulnerability in Craft CMS versions 4.13.8 prior to 4.16.3 and 5.5.8 prior to 5.8.4 allows for arbitrary file writing, which can lead to remote code execution. This issue arises when a security key is compromised, enabling attackers to create malicious requests that are processed by the application. Specifically, the vulnerability involves writing files to the '/storage/backups' directory and then using the '/updater/restore-db' endpoint to execute commands on the server via the command line interface.

Impact

Exploitation of this vulnerability could result in unauthorized remote code execution on the server where Craft CMS is hosted.

Reproduction

To reproduce this vulnerability, a compromised security key must be obtained. Once the key is compromised, an arbitrary file can be created in the Craft application's '/storage/backups' directory. After the file is placed, a malicious request can be sent to the '/updater/restore-db' endpoint, which will execute the CLI commands embedded in the malicious file.

Remediation

Users can update to Craft CMS versions 4.16.3 or 5.8.4, where this vulnerability has been fixed.