Craft CMS Remote Code Execution Vulnerability via Server-Side Template Injection

A remote code execution vulnerability has been identified in Craft CMS versions 4.0.0-RC1 prior to 4.17.0-beta.1 and 5.0.0-RC1 prior to 5.9.0-beta.1. The issue arises from an authenticated administrator's ability to inject a Server-Side Template Injection (SSTI) payload into Twig template fields, such as email templates. Exploitation involves using the 'craft.app.fs.write()' method to write a malicious PHP script to a web-accessible directory, which can then be accessed through a browser to execute arbitrary system commands.

Impact

Successful exploitation allows authenticated administrators to execute arbitrary system commands on the server via a web shell, with the same privileges as the web server user.

Reproduction

To reproduce this vulnerability, an authenticated administrator must inject a SSTI payload into a Twig template field, such as an email template. The injected payload should use the 'craft.app.fs.getFilesystemByHandle()' or 'craft.app.volumes.getVolumeByHandle()' method to write a PHP web shell to a accessible location. After the payload is executed, the web shell can be accessed through the browser or via curl to execute commands on the server.

Remediation

Users can update to Craft CMS versions 4.17.0-beta.1 or 5.9.0-beta.1, where this vulnerability has been patched.