Concrete CMS Cross-Site Request Forgery Vulnerability Allowing Remote Code Execution

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Concrete CMS versions through 9.5.0. The issue arises because the application does not validate CSRF tokens before processing requests to prepare remote upgrades for installed marketplace packages. An attacker controlling the remote package can overwrite the package's PHP file on disk and execute its upgrade method, leading to remote code execution as the web server user. To exploit this vulnerability, the victim must have the 'canInstallPackages' permission, be connected to the Concrete marketplace, and have a vulnerable package installed from the marketplace.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, executed as the web server user.

Reproduction

To reproduce this vulnerability, an attacker must first upload a malicious package to the Concrete marketplace, targeting a known marketplace item ID. The victim must then be persuaded to navigate to a page that triggers the vulnerable update preparation request without a valid CSRF token, while the site is connected to the Concrete marketplace and the attacker controls the package being upgraded.

Remediation

Users can upgrade to Concrete CMS version 9.5.1 or later, where this vulnerability has been fixed.