Cockpit CMS Authenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Cockpit CMS versions through commit 494765e. This vulnerability exists in the '/cockpit/collections/save_collection' endpoint, allowing authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. The injected code is written directly to server-side PHP files and executed via the 'include()' function, enabling arbitrary command execution on the underlying server.

Impact

Exploitation of this vulnerability leads to full remote code execution on the server.

Reproduction

To reproduce this vulnerability, log into Cockpit CMS as a user with collection management privileges. Create a new collection and navigate to the 'Save' button. While the request is being sent, intercept it with Burp Suite. Modify the request to include PHP code in the 'rules' parameter of the collection. Once the request is sent, the injected PHP code will be executed on the server.

Remediation

Remove the functionality that allows user input to be written as PHP code and executed. Instead, store rules as data in a JSON format and implement strict validation to reject PHP tags or any executable code.