Bootstrap CMS Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Bootstrap CMS version 0.9.0-alpha. The issue arises in the Page Creation Handler component, specifically within the file resources/views/pages/show.blade.php. The vulnerability allows for code injection by manipulating the body argument, as the application uses PHP's eval() function to execute user-supplied content without any sanitization. This flaw can be exploited remotely, and the exploit has been made public. The vulnerability affects an unsupported version of Bootstrap CMS.

Impact

Exploitation of this vulnerability leads to remote code execution on the server, with the executed code running under the privileges of the web server process. This could result in complete server compromise, allowing an attacker to gain full control over the web server, access sensitive data such as database credentials and API keys, move laterally within the network, establish persistent access, and potentially escalate privileges to root or SYSTEM.

Reproduction

To reproduce this vulnerability, an authenticated user with edit permissions (such as an Editor role) must log into the application. Once logged in, the user can create a page and include arbitrary PHP code in the body, bypassing XSS protection. After saving the page, the injected code will be executed when the page is accessed.

Remediation

To address this vulnerability, the 'eval' configuration option should be set to false in the config/cms.php file. Additionally, the eval() functionality should be removed entirely, or if dynamic content execution is necessary, a secure templating engine with sandbox restrictions should be implemented.