AlchemyCMS Remote Code Execution Vulnerability via Eval Injection in ResourcesHelper

A remote code execution vulnerability has been identified in AlchemyCMS versions prior to 7.4.12 and 8.0.3. The issue arises in the ResourcesHelper module, where the eval() function is used to execute a string from the resource_handler.engine_name attribute. This implementation bypasses security linting, indicating a known risk that was not properly addressed. The vulnerability allows authenticated attackers to escape the Ruby sandbox and execute arbitrary commands on the host operating system. Exploitation requires local file access to the Alchemy project or the source on a remote server to manipulate the module configuration.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server where AlchemyCMS is hosted.

Reproduction

The vulnerability can be reproduced by creating a resource_handler object with a crafted engine_name attribute that includes malicious Ruby code. When the resource_url_proxy method is called, the eval() function executes the injected code, leading to code execution on the server.

Remediation

Users can upgrade to AlchemyCMS versions 7.4.12 or 8.0.3, which address the vulnerability by replacing eval() with public_send() in the resource_url_proxy method.