ConcreteCMS Denial-of-Service Vulnerability in File Manager Component

A denial-of-service vulnerability has been identified in ConcreteCMS version 9.4.7, specifically within the File Manager component. The issue arises in the 'download' method of 'concrete/controllers/backend/file.php', where large files are improperly handled, leading to excessive memory usage. This flaw allows authenticated attackers to cause an out-of-memory condition, terminating the PHP-FPM process and resulting in a 500 Internal Server Error on the web server.

Impact

Exploitation of this vulnerability crashes PHP-FPM processes, indicated by a SIGSEGV signal, disrupting service and causing HTTP 500 errors. The vulnerability also allows for memory resource exhaustion by loading large files entirely into RAM, which can be scaled to consume all available server memory.

Reproduction

To reproduce this vulnerability, log into the ConcreteCMS dashboard and navigate to the File Manager. Upload 2-3 large files, each over 50MB. Select multiple large files using the checkboxes and click the Download button. The server will eventually return a 500 Internal Server Error, after the PHP process exhausts the memory limit and crashes, as confirmed by server logs.

Remediation

It is recommended to replace 'ZipArchive::addFromString' with 'ZipArchive::addFile' in the download method. The 'addFile' method efficiently handles file streams without loading entire contents into memory.